Very Computer

A security hole has been found that affects wu-ftp and, seemingly, most Linux
distros.  There was no securtiy alert on www.freebsd.org when I first
looked.  Anyone know if this affects FreeBSD?  At least the example posted
at http://www.securityfocus.com/archive/1/242750 didn't seem to crash
under 4.4-STABLE.  Can anyone else verify this?  Thanks

On Wed, 28 Nov 2001 21:12:04 -0800, Mike Stevens

I don't have an answer to your question, sorry.  Rather, I have some
questions of my own for the wu-ftpd users that I assume will be reading
this thread.

First of all, why would anyone run a service that runs as root unless
they absolutely had to?  Can't wu-ftpd be run as a non-priviledged user?
If not, why is anyone using it?  If wu-ftpd doesn't allow this, there has
to be others around that do, no?

I don't run an ftp daemon, so I'm not sure. I tell a lie. On the
extremely rare situation that I need ftp access to one of my own
servers, I will enable the standard ftpd that comes with the base system
for the length of the transfer, then shut it off again. This is hardly
like running a full time ftp server though. Because of this, I don't
worry much about security in this area, so I don't know much about ftp
options. All I know that would apply to ftp is the standard security
measures that would apply to any daemon. Use chroot || jail || both, run
it as a non priviledged user within the root/jail, firewall it, wrap it
(if applicable). Do you mean to tell me that this can't be done with
wu-ftpd? If it can't, then why is anyone using it?

FreeBSD doesn't run wu-ftpd by default.  It uses its own version of ftpd.

Quote:> First of all, why would anyone run a service that runs as root unless
> they absolutely had to?  Can't wu-ftpd be run as a non-priviledged user?

No, because it needs to setuid to arbitrary users.  If you want to run
anonymous-only services, then try something like aftpd or publicfile or
something.

Quote:> options. All I know that would apply to ftp is the standard security
> measures that would apply to any daemon. Use chroot || jail || both, run
> it as a non priviledged user within the root/jail, firewall it, wrap it
> (if applicable).

All sensible precautions.

Nick

        >snip<
: Can't wu-ftpd be run as a non-priviledged user?

        Sadly, no, and the same applies to all (non-anon) FTP servers.

        Think of FTPd along the same lines as more common "remote login"
        servers such as telnetd, sshd, etc.  The (non-network) requirements
        are pretty much the same.

--

BSD:  A psychoactive drug, popular in the 80s, probably developed at UC
Berkeley or thereabouts.  Similar in many ways to the prescription-only
medication called "System V", but infinitely more useful. (Or, at least,
more fun.)  The full chemical name is "Berkeley Standard Distribution".

The concept hit me as I read the previous reply to my questions that
"Hey, ftp is basically just a highly specialized shell access.  Which
would mean it has to take on the identity of anyone accessing it."  Oh
well, think before you post I guess.

Anyway, thanks for the explanations.  Makes sense now.

There is a possibility some versions of BSD ftpd are vulnerable.  I was just
reading bugtraq and I think it really depends on your glob(3)
implementation.  Some ported versions of BSD ftpd could be vulnerable.
Someone claimed they tried it on OpenBSD 2.9 and 3.0 and it was exhibiting
the same behavior as wu-ftpd and killing ftpd; however, someone else said
they tried on FreeBSD 4.4 and 5.0 and just got a normal ls output (the
vulnerability lies in issuing an "ls ~{").  Maybe you should just issue "ls
~{" and see if it kills ftpd.

John

Quote:

> > First of all, why would anyone run a service that runs as root unless
> > they absolutely had to?  Can't wu-ftpd be run as a non-priviledged user?

> No, because it needs to setuid to arbitrary users.  If you want to run
> anonymous-only services, then try something like aftpd or publicfile or
> something.

> > options. All I know that would apply to ftp is the standard security
> > measures that would apply to any daemon. Use chroot || jail || both, run
> > it as a non priviledged user within the root/jail, firewall it, wrap it
> > (if applicable).

> All sensible precautions.

> Nick

If you are concerned about security, you could try running ftp
services in a jail. It will not guarantee 100% security, but it is one
step further...
(not meant to start a thread about all the pro's and con's about jail
usage, but just my 2 eurocent ";-)

--
__________________________________________________
"Nothing is as subjective as reality"

http://www.xs4all.nl/~reinoud
-> when replying to a mailinglist mail, please do  <-
-> *NOT* cc: me as well. If I read the list I will <-
-> receive the reply as well!                      <-
__________________________________________________

:

:>       >snip<
:>: Can't wu-ftpd be run as a non-priviledged user?
:>
:>       Sadly, no, and the same applies to all (non-anon) FTP servers.
:>
:>       Think of FTPd along the same lines as more common "remote login"
:>       servers such as telnetd, sshd, etc.  The (non-network) requirements
:>       are pretty much the same.
:
: If you are concerned about security, you could try running ftp services in
: a jail. It will not guarantee 100% security, but it is one step further...
: (not meant to start a thread about all the pro's and con's about jail
: usage, but just my 2 eurocent ";-)

        How will a jail help...when the server needs complete access to your
        entire filesystem anyway?

--

BSD:  A psychoactive drug, popular in the 80s, probably developed at UC
Berkeley or thereabouts.  Similar in many ways to the prescription-only
medication called "System V", but infinitely more useful. (Or, at least,
more fun.)  The full chemical name is "Berkeley Standard Distribution".

FreeBSD's ftpd doesn't have the same problem AFAIK, but if you have
installed the wu-ftpd port then you should upgrade.

Quote:>First of all, why would anyone run a service that runs as root unless
>they absolutely had to?  Can't wu-ftpd be run as a non-priviledged user?

If you are using ftp for regular users, then it must run as root
so it can become that user after you have logged in. Also, because
of the way the ftp protocol works, it needs to keep root privilages
if it is to support both active and passive ftp. (There are ways around
this, but they are kinda complicated).

        David.

        >snip<
: Also, because of the way the ftp protocol works, it needs to keep root
: privilages if it is to support both active and passive ftp. (There are
: ways around this, but they are kinda complicated).

        I think you're mistaken.

        For active the FTP server won't care (firewall infront of a server
        likely might care, but FTP server doesn't) as it can connect out to
        any port as any user.  For passive the new ports are all > 1024
        (49152..65535 by default, according to ftpd(8)), which don't require
        root to open.

--

BSD:  A psychoactive drug, popular in the 80s, probably developed at UC
Berkeley or thereabouts.  Similar in many ways to the prescription-only
medication called "System V", but infinitely more useful. (Or, at least,
more fun.)  The full chemical name is "Berkeley Standard Distribution".

I believe in active mode that the connection should come from port
20 (ftp-data) on the server (or maybe that is just tradition). I
haven't studied the the rfc in detail, so I please correct me if
I'm mistaken.

        David.

:>       I think you're mistaken.
:>       For active the FTP server won't care (firewall infront of a server
:>       likely might care, but FTP server doesn't) as it can connect out to
:>       any port as any user.  For passive the new ports are all > 1024
:>       (49152..65535 by default, according to ftpd(8)), which don't require
:>       root to open.
:
: I believe in active mode that the connection should come from port 20
: (ftp-data) on the server (or maybe that is just tradition). I haven't
: studied the the rfc in detail, so I please correct me if I'm mistaken.

        Hmm, that's possible...but it would seem a rather odd requirement?
        RFC 959 doesn't seem to mention it, although the source
        (/usr/src/libexec/ftpd/ftpd.c) would seem to concur the use of port
        20 for the source.

        Any FTP experts around?

--

BSD:  A psychoactive drug, popular in the 80s, probably developed at UC
Berkeley or thereabouts.  Similar in many ways to the prescription-only
medication called "System V", but infinitely more useful. (Or, at least,
more fun.)  The full chemical name is "Berkeley Standard Distribution".

In the active mode, that was what port 20 is for.  

You could also tell the server make the data connection back to the same
port the client used for the control connection originally.  This was
later deprecated, and in fact one major network companies firewall balks
if the active connection comes back to the same port.

: In the active mode, that was what port 20 is for.  

        I'm still unclear as to why the source port needs to be fixed at
        all?  Since it's the source port, nothing is going to connect to it
        and thus it shouldn't need to be well known?  I see the source code
        which explicitly sets it to port 20...I just can't figure out from
        either the RFC or the source why one would want/need to?

: You could also tell the server make the data connection back to the same
: port the client used for the control connection originally.  This was
: later deprecated, and in fact one major network companies firewall balks
: if the active connection comes back to the same port.

        I sware, every time I hear a little more discussion about the
        details of the FTP protocol, the more strongly I come to believe the
        authors were on serious * when they wrong it.  Probably the same
        * MS was on when they came up with DirectPlay and the mess that
        NetMeeting uses.

--

BSD:  A psychoactive drug, popular in the 80s, probably developed at UC
Berkeley or thereabouts.  Similar in many ways to the prescription-only
medication called "System V", but infinitely more useful. (Or, at least,
more fun.)  The full chemical name is "Berkeley Standard Distribution".

RFC 959, section 5.2. "CONNECTIONS":

      The server shall initiate the data connection from his own default
      data port (L-1) using the specified user data port.

--Per Hedeland