[13104] in bugtraq
Re: ftp conversions exploit
daemon@ATHENA.MIT.EDU (Gregory A Lundberg)
Mon Dec 27 15:17:24 1999
Mail-Followup-To: Alexey Chetroi <lex@TWILIGHT.TELCO.MD>,
BUGTRAQ@SECURITYFOCUS.COM, wuftpd-questions@wu-ftpd.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991224220131.B2215@vr.net>
Date: Fri, 24 Dec 1999 22:01:31 -0500
Reply-To: Gregory A Lundberg <lundberg@WU-FTPD.ORG>
From: Gregory A Lundberg <lundberg@WU-FTPD.ORG>
X-To: Alexey Chetroi <lex@TWILIGHT.TELCO.MD>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.GSO.4.20.9912240849500.7988-100000@twilight.telco.md>; from
Alexey Chetroi on Fri, Dec 24, 1999 at 08:51:21AM +0200
On Fri, Dec 24, 1999 at 08:51:21AM +0200, Alexey Chetroi wrote:
> On Wed, 22 Dec 1999, David Malone wrote:
>
> > On Wed, Dec 22, 1999 at 04:47:25AM +0000, Desi Hacker wrote:
> >
> > The ftpaccess man page contains the following example line:
> >
> > path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
> >
> > which disallows filenames starting with . or - to anonymous users.
> > Maybe your ftpaccess line contains this?
>
> it doesn't disallow filenames starting with . or -, it disallows
> filenames with spaces
Lo, he readeth from the manpage ...
path-filter <typelist> <mesg> <allowed_charset>
{<disallowed reg-exp> ...}
For users in <typelist>, path-filter defines regular
expressions that control what a filename can or can
not be. There may be multiple disallowed regexps.
If a filename is invalid due to failure to match the
regexp criteria, <mesg> will be displayed to the
user. For example:
path-filter anonymous /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
specifies that all upload filenames for anonymous
users must be made of only the characters A-Z, a-z,
0-9, and "._-" and may not begin with a "." or a
"-". If the filename is invalid, /etc/pathmsg will
be displayed to the user.
Taking unto his heart his own advice, he commanded:
$ grep 'path-filter' /etc/ftpaccess
path-filter anonymous,guest /etc/pathmsg ^[-A-Za-z0-9._]*$ ^\. ^-
And, knowing he was a guest unto himself, he bespoke unto the daemon:
$ ftp ftp.vr.net
Connected to www.vr.net.
220 ftp.vr.net FTP server ready.
Name (ftp.vr.net:lundberg):
331 Password required for lundberg.
Password:
230 User lundberg logged in. Access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put da -da
local: da remote: -da
200 PORT command successful.
550 -da: Permission denied on server. (Filename (deny))
ftp> put da .da
local: da remote: .da
200 PORT command successful.
550 .da: Permission denied on server. (Filename (deny))
ftp> ren da .da
350 File exists, ready for destination name
550 .da: Permission denied on server. (Filename (deny))
ftp> ren da -da
350 File exists, ready for destination name
550 -da: Permission denied on server. (Filename (deny))
ftp> quit
You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 723 bytes in 0 transfers.
221-Thank you for using the FTP service on ftp.vr.net.
221 Goodbye.
And, upon seeing the words were good and true, he rested.
--
Gregory A Lundberg WU-FTPD Development Group
1441 Elmdale Drive lundberg@wu-ftpd.org
Kettering, OH 45409-1615 USA 1-800-809-2195
