Vulnerability Development mailing list archives

A Bug in the Recently Released BetaFTPD0.0.8pre7 (fwd)

From: ssq () M-NET ARBORNET ORG (Bubonic)
Date: Tue, 21 Dec 1999 22:40:22 -0500


Betaftpd0.0.8pre7

I had just downloaded this program off of freshmeat to test it.
I decided to change it to go on port 21 (ftpd.h). After doing that
I configured and made the program. Than I ran it on my system
(Linux 2.2.9 RH 6.0) and the following logs tell the rest:

------------------------------ran the program------------------------------

bash-2.03# ./betaftpd --enable-xferlog --enable-fullscren
--enable-upload --enable-shadow &
[1] 4753
BetaFTPD version 0.0.8pre7, Copyright (C) 1999 Steinar H. Gunderson
BetaFTPD comes with ABSOLUTELY NO WARRANTY; for details see the file
COPYING. This is free software, and you are welcome to redistribute it
under certain conditions; again see the file COPYING for details.

BetaFTPD active
bash-2.03#
----------------------------------------------------------------------------

Then I decided to ps -aux to find out how it was running

---------------------------------ps -aux----------------------------------
bash-2.03# ps -aux
root      4753  0.0  1.2  1308  384 pts/6    S    17:27   0:00 ./betaftpd
----------------------------------------------------------------------------

Now this seemed all good and dandy running as root as I wanted it
to be.(this is before testing the --enable-nonroot flag).
So I decided to test the stability of the program by ftping to it.
So I did:

----------------------------------ftp log-----------------------------------
bash-2.03# ftp 127.0.0.1
Connected to 127.0.0.1.
220 BetaFTPD 0.0.8pre7 ready.
Name (127.0.0.1:root): bubonic
331 Password required for bubonic.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Have a nice day!
bash-2.03#
----------------------------------------------------------------------------

I gave the a wrong password on purpose so I go eat dinner and not
goof around anymore but before I went to eat I listed the process
one more time and noticed something a little strange:

------------------------------------ps -aux-------------------------------
bash-2.03# ps -aux
bubonic   4753  0.0  2.1  1360  672 pts/6    S    17:27   0:00 ./betaftpd
----------------------------------------------------------------------------

By not having a sucessful login with the login bubonic the process
was now under my user bubonic. This could cause a DoS for an intruder
who could kill your FTP service. Indeed a big bug. Since it is now
bubonic's PID then that user is able to kill this PID which could
result in a mess.

-Bubonic

P.S. Sorry for poor english I wrote this without food. :)
     Any question or comments please mail me at ssq () m-net arbornet org

Current thread:

Re: ssh quirks..., (continued)
- - - Re: ssh quirks... Scott D. Yelich (Dec 27)
    - Re: ssh quirks... C.J. Oster (Dec 27)
    - Re: ssh quirks... Blue Boar (Dec 27)
    - Re: ssh quirks... Ralph the Wonder Llama (Dec 27)
    - Re: ssh quirks... LaMont Jones (Dec 27)
    - Re: ssh quirks... Kev (Dec 28)
    - Re: ssh quirks... Mark Rafn (Dec 28)
    - Re: BSD chfn bug Warner Losh (Dec 27)
    - any user can make hard links in Unix Benjamin Elijah Griffin (Dec 21)
    - Re: any user can make hard links in Unix Bennett Todd (Dec 22)
    - A Bug in the Recently Released BetaFTPD0.0.8pre7 (fwd) Bubonic (Dec 21)
    - Possible MultiNet FTP server DoS problem. CyberPsychotic (Dec 21)
    - Re: Possible MultiNet FTP server DoS problem. Lisa Napier (Dec 23)
    - MSIE print feature Anonymous Anonymous (Dec 24)
    - procmail / Sendmail - five bugs Michal Zalewski (Dec 23)
- wordpad-exploit-development. quite final. Pauli Ojanpera (Dec 02)