COMMAND
BetaFTPD
SYSTEMS AFFECTED
BetaFTPD0.0.8pre7
PROBLEM
Bubonic posted following. He had just downloaded this program
off of freshmeat to test it. He decided to change it to go on
port 21 (ftpd.h). After doing that he configured and made the
program. Than he ran it on his system (Linux 2.2.9 RH 6.0) and
the following logs tell the rest:
bash-2.03# ./betaftpd --enable-xferlog --enable-fullscren --enable-upload --enable-shadow &
[1] 4753
BetaFTPD version 0.0.8pre7, Copyright (C) 1999 Steinar H. Gunderson
BetaFTPD comes with ABSOLUTELY NO WARRANTY; for details see the file
COPYING. This is free software, and you are welcome to redistribute it
under certain conditions; again see the file COPYING for details.
BetaFTPD active
bash-2.03#
Then he decided to ps -aux to find out how it was running
bash-2.03# ps -aux
root 4753 0.0 1.2 1308 384 pts/6 S 17:27 0:00 ./betaftpd
Now this seemed all good and dandy running as root as he wanted it
to be. (this is before testing the --enable-nonroot flag). So he
decided to test the stability of the program by ftping to it. So
he did:
bash-2.03# ftp 127.0.0.1
Connected to 127.0.0.1.
220 BetaFTPD 0.0.8pre7 ready.
Name (127.0.0.1:root): bubonic
331 Password required for bubonic.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Have a nice day!
bash-2.03#
He gave the a wrong password on purpose so je go eat dinner and
not goof around anymore but before he went to eat he listed the
process one more time and noticed something a little strange:
bash-2.03# ps -aux
bubonic 4753 0.0 2.1 1360 672 pts/6 S 17:27 0:00 ./betaftpd
By not having a sucessful login with the login bubonic the process
was now under my user bubonic. This could cause a DoS for an
intruder who could kill your FTP service. Indeed a big bug. Since
it is now bubonic's PID then that user is able to kill this PID
which could result in a mess.
SOLUTION
Nothing yet.