Thursday, April 12. 2007Security warning: Possible remote code injection when using Debian Sarge/Etch
Hello SysCP-community,
this security warning concerns all SysCP users who use Debian Sarge or Etch together with our default configuration files. As the Debian-package of proftpd adds a user "ftp" with password "!" (drop quotes) and the appropriate homedir at "/home/ftp", anyone can login as this user. Together with an enabled mod_userdir in apache, one could create a directory "public_html" in the homedir of user "ftp" and access everything (also bad scripts) through "http://your-servername/~ftp/" without openbasedir and safemode restrictions. We recommend to add the following line to your /etc/proftpd.conf: AuthOrder mod_sql.c We also recommend to disable mod_userdir by issuing the following command: apache-modconf apache disable mod_userdir Big thanks go to Harald Kapper who informed me about this security problem and also provided appropriate solutions! Just a short notice regarding Debian Etch: Yes, we are aware that Debian Etch became stable last weekend, but we just need some time to adjust the configfiles. New ones, which will also reflect the recommendations of this security warning, will be included in our next release. Stay tuned, Flo and the SysCP-team Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
Says WHO?
I mean - why should Debian add a user with the password "!"? Maybe because "!" means illegal password, so the user cannot login? Just tested on my Debian system (proftpd without mysql, but this should not matter): ftp> open localhost Connected to localhost. 220 ProFTPD 1.3.0 Server (Debian) [::ffff:127.0.0.1] Name (localhost:zhenech): ftp 331 Password required for ftp. Password: 530 Login incorrect. So PLEASE don't blame Debian ;-)
I also could not believe that. I tried it on a debian/proftpd of a friend of mine (no SysCP) and logging in with the user ftp and password ! really works.
On my only debian machine it does not work and I don't know why (first I suspected RequireValidShell but disabling it also did not lead to being able to login using user ftp). Of course, ! in the shadow line usually says the user cannot login, but proftpd somehow seems to think it is a plaintext password then...
Same here. Login worked without the AuthOrder.
I'm still not able to reproduce on a debian system. Proftpd uses PAM per default so the "!" shouldn't be a problem. Even on systems without PAM the code of the authentikator plugin wouldn't allow "!" as a password. Could you please post: /etc/proftpd/* and /etc/pam.d/protfpd somewhere?
Thanks
On a Debian default-install of proftpd?
Which packages do you have? Which versions? The only way to activate the ftp-account is to enable anonymous login: ... which is evil and so on in its own way... (btw, here, not only ! but also syscpsucks and debiansucks work as a password ;))
The ... should be:
[Anonymous ~ftp] ... [/Anonymous]
Testsetup is Debian Sarge + ProFTPd 1.2.10 - no anonymous-section in proftpd.conf
And some other special settings in proftpd.conf?
I just did a plain sarge install and cannot login with ftp:! Look: debootstrap sarge sarge/ chroot sarge/ apt-get install proftpd (I get 1.2.10-15sarge4) ftp> open localhost Connected to localhost. 220 ProFTPD 1.2.10 Server (Debian) [127.0.0.1] Name (localhost:zhenech): ftp 331 Password required for ftp. Password: 530 Login incorrect. Login failed. What do I need to do to be able to login?
Hello,
you can find our proftpd.conf inside the SysCP admin panel. If you haven't installed it, try a look at demo.syscp.org where you can login with admin:admin and get the appropriate configfiles. BTW: We aren't using the package proftpd but proftpd-mysql. For all people who are crying and telling me I should shut the f*** up: When I first heard of this I of course also thought this was a joke or at least a very special system. But when I checked my very own server and found it to be also vulnerable by this problem I had to react this way. Remember: This is a security warning, not an official advisory nor any shooting or bashing against Debian. I still love Debian and I'm far from flamewaring here. So if you have any questions, please ask again. I'm also behind this and trying to resolve it. Greets, Flo
I'm still waiting for configs that make this reproducable.
Until this happens I just don't believe it.
I think you just got the configs on IRC ;-)
For all the others: So, now I have installed SysCP in my Sarge-chroot with full proftpd-mysql and stuff. Configured SysCP and the MySQL database. Now I indeed can login with ftp/! (or whatever is password for the ftp user in plaintext in /etc/passwd or /etc/shadow). The same happens on Etch, but doesn't with Debian default-config (neither on Sarge, nor on Etch). By the way, this works for EVERY user in /etc/shadow (who isn't listed in /etc/ftpusers - I can login with postfix/! and www-data/*... DAMN!) The problem is here: SQLAuthTypes Crypt Plaintext If I remove plaintext, I still can login with a valid syscp-account but not with ftp or www-data. Don't ask me why proftpd aplies the SQL setting to system-users... Dumb piece of software. But also don't ask me, why you guys set Plaintext if ftp_users contains only the crypted password ;) So just replace SQLAuthTypes Crypt Plaintext with SQLAuthTypes Crypt and the show will go on ;) (IMHO thats a better fix than allowing ONLY mod_sql)
Thanks Zhenech for finding this out. Once again this supports my belief in the community ;)
The only reason I can imagine why there's a Plaintext left in proftpd.conf is that it's a relict from early stages of the development but was dropped quickliy. Anyway, I'm gonna remove this Plaintext, but I'll also include the restriction to only allow mod_sql. If someone needs system users, an additional entry shouldn't be a big problem. Thanks again for reproducing this, Flo
NP.
However, could you please edit the post and tell the readers that not only "ftp" but every user who has an invalid password set in /etc/shadow (or /etc/password) and not listed in /etc/ftpusers - this includes users like postfix and www-data! This can be very critical - and not only on Debian but on every proftpd-*sql installation. BTW, I opened a bug at the Debian bts: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255 hope this will be fixed soon (because it is still a bug in proftpd if it allows plaintext password from /etc/shadow if plaintext is enabled for sql)
Reading before writing can help sometimes:
If the password field contains some string that is not valid result of crypt(3), for instance ! or *, the user will not be able to use a unix password to log in, subject to pam(7).
Just got a mail from the Debian BTS:
proftpd-dfsg (1.3.0-22) unstable; urgency=high . Added update-inetd dependency. Security: added a auth_cache patch to manage stacked auth scheme which can manage to introduce unexpected behaviors in some corner cases. See http://bugs.proftpd.org/show_bug.cgi?id=2922 (closes: #419255) * Added a auth_loop patch to avoid endless loop in auth modules. Which should fix our issues, I hope security team will catch this fix for Etch too.
Hi,
Nice news, thx for your effort! So long, Florian
Same problem with Ubuntu 6.06 LTS. AuthOrder in proftpd.conf fixes the problem. Thanks... Holger
|
Static PagesQuicksearchCategoriesSyndicate This BlogBlog AdministrationStatisticsLast entry: 2008-07-04 22:42
77 entries written
133 comments have been made
Top Exitswiki.syscp.org (81)
syscp.org (23) files.syscp.org (21) blog.syscp.org (19) www.syscp.org (7) debian.syscp.org (4) forum.syscp.org (4) chat.syscp.org (2) svn.syscp.org (2) syscp-forum.org (2) |
