Very Computer

We had a hacker exploit a weakness in the WU-FTP daemon last night. The
exploit on a machine named "bob" from a machine named "neale"went like
this:

Here's how part of the exploit happened:

By adding an entry to the bottom of the passwd file:
test::0:0:dummyname:/:/bin/bash

without a password marker, our login scripts will not let you login with
a
shell, but they will let you open an ftp connection with root
permissions.

You can then upload or download any file you want. ftp will allow you to

login with a null password so you do not need access to the shadow file
to
exploit this weakness, as the following transcript will show:

neale[29]% ftp bob
Connected to bob....
220 bob... FTP server (Version wu-2.4.2-academ[BETA-15](1) Sat Nov
1 03:08:32 EST 1997) ready.
Name (bob:dniederm): test
331 Password required for test.
Password:
230 User test logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /etc/
250 CWD command successful.
ftp> get shadow
local: shadow remote: shadow
200 PORT command successful.
150 Opening BINARY mode data connection for shadow (1117 bytes).
226 Transfer complete.
1117 bytes received in 0.00159 secs (6.8e+02 Kbytes/sec)
ftp> bye
221 Goodbye.
neale[30]% whoami
dniederm
neale[31]% more shadow
...
the contents of the shadow file including encrypted passwords would
follow.

The fact that the shadow file is not root writable. Would not have saved
it. Once root access is gained in this way, putting the shadow file back
raises not problems with overwriting a file with 0400 permissions.
Upgrading to BETA-18 (the latest available rpm still permitted this
exploit. The software was installed as part of the default set of rpms
in a Redhat Linux 5.0 distribution.

We are still working to uncover how the hacker managed to append a
passwd entry to the /etc/passwd file. (I'm open to suggestions--at the
time of the attack, bob was set up to be an NFS client but we do not use
NFS in our domain as so it may not have been configured properly. NFS
has since been removed).

We have since replaced wu-ftp with a different ftp server. Here again I
am open to suggestions as to the best low-cost (or no-cost) ftpd
available apart from wu-ftp.

--

********************************
Daryle Niedermayer
Programmer/Analyst
GDS & Associates Systems. Ltd.
400 - 4211 Albert St.
Regina, SK Canada -- S4S 3R6
Phone: 306.586.7832
Fax: 306.585.1514

http://www.gds.ca
********************************

Quote:>Here's how part of the exploit happened:

>By adding an entry to the bottom of the passwd file:
>test::0:0:dummyname:/:/bin/bash

>without a password marker, our login scripts will not let you login with
>a
>shell, but they will let you open an ftp connection with root
>permissions.

Quote:>You can then upload or download any file you want. ftp will allow you to
>login with a null password so you do not need access to the shadow file
>to
>exploit this weakness, as the following transcript will show:

Quote:>We have since replaced wu-ftp with a different ftp server. Here again I
>am open to suggestions as to the best low-cost (or no-cost) ftpd
>available apart from wu-ftp.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.

Quote:>neale[31]% more shadow
>...
>the contents of the shadow file including encrypted passwords would
>follow.

In addition on Linux you can do a chattr +i on the configuration file,
so it becomes a bit harder to change that one.
[...]

Quote:>We have since replaced wu-ftp with a different ftp server. Here again I
>am open to suggestions as to the best low-cost (or no-cost) ftpd
>available apart from wu-ftp.

Oh yes, and please avoid that vcard stuff, thanks,
Juergen

--
\ Real name     : Jrgen Heinzl                 \       no flames      /

  \ Phone Private : +44 181-332 0750              \                  /

Quote:>you crippled the security

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.

Quote:

> By adding an entry to the bottom of the passwd file:
> test::0:0:dummyname:/:/bin/bash

Fredy

This is not a weakness in wu-ftpd.  /etc/passwd lists account information,
including for superusers.  If you allow people to write to it, you've given
them superuser privilege.  The weakness in your system which was exploited was
the non-root writability of /etc/passwd.

Quote:>We are still working to uncover how the hacker managed to append a
>passwd entry to the /etc/passwd file. (I'm open to suggestions--

Most probable without knowing anything further about the situation is that
they got in through one of the well-known network vulnerabilities such as the
imapd bug.  This gives you the ability to execute arbitrary commands as root,
such as appending to the password file (or to /etc/shadow, or replacing ftpd
altogether for that matter).

Quote:>If he/she got the root access, why bother adding new account to ftp?
>cp /etc/shadow filename
>then ftp filename to other hosts.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.

Quote:>By adding an entry to the bottom of the passwd file:
>test::0:0:dummyname:/:/bin/bash

Have you installed all of the security patches for your version of
redhat? Certainly 5.0 5.1 have a number that have to be installed.

[...]

Quote:>We had a hacker exploit a weakness in the WU-FTP daemon last night.

Quote:>The exploit on a machine named "bob" from a machine named "neale"went like
>this:
>Here's how part of the exploit happened:

Quote:>By adding an entry to the bottom of the passwd file:
>test::0:0:dummyname:/:/bin/bash
>without a password marker, our login scripts will not let you login with
>a
>shell, but they will let you open an ftp connection with root
>permissions.

You shot yourself into the foot. Setting up an FTP-only account
with root permissions is as silly as displaying the root password
at the login screen. Sheesh.

And if you did not set it up that way, then your security has been
compromised before, since standard users can't write to the /etc/passwd
file at all.

Michael

--

          Lumber Cartel Unit #456 (TINLC) & Official Netscum

[...]

Quote:>>you crippled the security
>What are you talking about?  Someone apparently broke into their system and
>somehow added that passwd entry.  

Quote:>How do you translate that to "you
>crippled the security"?

OTOH, if the /etc/passwd file was world writeable, then the intruder
may have changed /bin/login or the wu-ftpd executable already just
to allow this.

Michael
--

          Lumber Cartel Unit #456 (TINLC) & Official Netscum

The fact that there are other ways to break into the system does not excuse
FTPD from being usable to implement a back-door.  Perhaps the compromise of
/etc/passwd happened when the culprit was on-site for some reason (maybe as
a consultant).  He might not be able to reproduce those circumstances, but
by leaving a back-door open he has future access.

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.

]We are still working to uncover how the hacker managed to append a
]passwd entry to the /etc/passwd file. (I'm open to suggestions--at the
]time of the attack, bob was set up to be an NFS client but we do not use
]NFS in our domain as so it may not have been configured properly. NFS
]has since been removed).

--

GTE Internetworking, Powered by BBN, Burlington, MA
*** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
Don't bother cc'ing followups to me.

I find this all rather fascinating...being relatively new to linux myself.
And..it makes me a little more concerned about putting a box on the internet
without more detailed unix security knowledge.

Charles

Quote:>Here's how part of the exploit happened:

>By adding an entry to the bottom of the passwd file:
>test::0:0:dummyname:/:/bin/bash

So if you do use wu-ftpd, and are concerned about a backdoor like this
being left by a cracker, you might consider BeroFTPd.  Available from
freshmeat and all the other usual places.

Later,
Ashok
--
Ashok Aiyar, Ph.D.
McArdle Laboratory for Cancer Research
http://aiyar.cjb.net