Vulnerability Development mailing list archives
A Bug in the Recently Released BetaFTPD0.0.8pre7 (fwd)
From: ssq () M-NET ARBORNET ORG (Bubonic)
Date: Tue, 21 Dec 1999 22:40:22 -0500
Betaftpd0.0.8pre7 I had just downloaded this program off of freshmeat to test it. I decided to change it to go on port 21 (ftpd.h). After doing that I configured and made the program. Than I ran it on my system (Linux 2.2.9 RH 6.0) and the following logs tell the rest: ------------------------------ran the program------------------------------ bash-2.03# ./betaftpd --enable-xferlog --enable-fullscren --enable-upload --enable-shadow & [1] 4753 BetaFTPD version 0.0.8pre7, Copyright (C) 1999 Steinar H. Gunderson BetaFTPD comes with ABSOLUTELY NO WARRANTY; for details see the file COPYING. This is free software, and you are welcome to redistribute it under certain conditions; again see the file COPYING for details. BetaFTPD active bash-2.03# ---------------------------------------------------------------------------- Then I decided to ps -aux to find out how it was running ---------------------------------ps -aux---------------------------------- bash-2.03# ps -aux root 4753 0.0 1.2 1308 384 pts/6 S 17:27 0:00 ./betaftpd ---------------------------------------------------------------------------- Now this seemed all good and dandy running as root as I wanted it to be.(this is before testing the --enable-nonroot flag). So I decided to test the stability of the program by ftping to it. So I did: ----------------------------------ftp log----------------------------------- bash-2.03# ftp 127.0.0.1 Connected to 127.0.0.1. 220 BetaFTPD 0.0.8pre7 ready. Name (127.0.0.1:root): bubonic 331 Password required for bubonic. Password: 530 Login incorrect. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Have a nice day! bash-2.03# ---------------------------------------------------------------------------- I gave the a wrong password on purpose so I go eat dinner and not goof around anymore but before I went to eat I listed the process one more time and noticed something a little strange: ------------------------------------ps -aux------------------------------- bash-2.03# ps -aux bubonic 4753 0.0 2.1 1360 672 pts/6 S 17:27 0:00 ./betaftpd ---------------------------------------------------------------------------- By not having a sucessful login with the login bubonic the process was now under my user bubonic. This could cause a DoS for an intruder who could kill your FTP service. Indeed a big bug. Since it is now bubonic's PID then that user is able to kill this PID which could result in a mess. -Bubonic P.S. Sorry for poor english I wrote this without food. :) Any question or comments please mail me at ssq () m-net arbornet org
Current thread:
- Re: ssh quirks..., (continued)
- Re: ssh quirks... Scott D. Yelich (Dec 27)
- Re: ssh quirks... C.J. Oster (Dec 27)
- Re: ssh quirks... Blue Boar (Dec 27)
- Re: ssh quirks... Ralph the Wonder Llama (Dec 27)
- Re: ssh quirks... LaMont Jones (Dec 27)
- Re: ssh quirks... Kev (Dec 28)
- Re: ssh quirks... Mark Rafn (Dec 28)
- Re: BSD chfn bug Warner Losh (Dec 27)
- any user can make hard links in Unix Benjamin Elijah Griffin (Dec 21)
- Re: any user can make hard links in Unix Bennett Todd (Dec 22)
- A Bug in the Recently Released BetaFTPD0.0.8pre7 (fwd) Bubonic (Dec 21)
- Possible MultiNet FTP server DoS problem. CyberPsychotic (Dec 21)
- Re: Possible MultiNet FTP server DoS problem. Lisa Napier (Dec 23)
- MSIE print feature Anonymous Anonymous (Dec 24)
- procmail / Sendmail - five bugs Michal Zalewski (Dec 23)