Serious security issue in proftpd/mysql/Debian-Howto

[marcusr]

Hi there,

apart from the fact that the proftpd/mysql/Debian-Howto
http://www.howtoforge.com/vsftpd_mysql_debian_etch

is simply brilliant, we figured out a pretty serious security hole:

This configuration enables system users to log in via FTP using an exclamation mark ("!") as password. On one of our Dev-Servers, I was able to log in as

ftp
proftpd
mysql
sshd

...with full access to the respective home dirs, which may be fatal if you've got your mysql on the same machine.

This can be solved by adding
AuthOrder mod_sql.c

to proftpd.conf.


greets,
marcus

[falko]

Quote:

Originally Posted by marcusr

apart from the fact that the proftpd/mysql/Debian-Howto
http://www.howtoforge.com/vsftpd_mysql_debian_etch

Proftpd or vsftpd?

[Norman]

I'm unable to replicate this behaviour in my production environment.

[edge]

Quote:

Originally Posted by Norman

I'm unable to replicate this behaviour in my production environment.

Same here.. I can not replicate this problem on my Debian Etch systems with ProFTPD

[marcusr]

Quote:

Originally Posted by falko

Proftpd or vsftpd?

whoops... pasted the wrong link there. that was supposed to link to the proftpd howto a few lines below...

I can replicate this behaviour on two machines now, both run on etch, I followed the howto nearly 1:1. I assume the plaintext login is the reason...

one of these machines is productive and someone already tried to run phpshell ok it - which didn't succeed because the FTP homedir is outside the webroot.

Google 'nyck.php' gives some interesting hits...

[tal56]

I was not able to replicate this with my Centos 5.2 install either.

[Norman]

Could you post your proftpd.conf ?

[marcusr]

hi,
here's my proftpd.conf (large comments left out)

Code:

------8<-------
Include /etc/proftpd/modules.conf
ServerName                      "Debian"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                     "-l"
UseIPv6                         off

# (if i add this, everything's ok). without, the "!"-problem returns: 
# AuthOrder mod_sql.c

DenyFilter                      \*.*/

Port                            21

MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            ftpuser
Group                           ftpgroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on

DefaultRoot ~
UseReverseDNS off
IdentLookups off

   <Global>
   RootLogin off
   #RequireValidShell on
   </Global>

# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users groups


# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo  ftp@localhost proftpd xxxxxxx


# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo     ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo    ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID        500

# create a user's home directory on demand if it doesn't exist
SQLHomedirOnDemand on

# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_
avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ft
pquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2
}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type =
 '%{7}'" ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

RootLogin off
RequireValidShell off
------>8-------

proftpd 1.3.0-19
proftpd-common 1.2.10-15sarge4
proftpd-mysql 1.3.0-19

bye,
marcus