Serious security issue in proftpd/mysql/Debian-Howto

Discussion in 'HOWTO-Related Questions' started by marcusr, Aug 29, 2008.

  1. marcusr

    marcusr New Member

    Hi there,

    apart from the fact that the proftpd/mysql/Debian-Howto
    http://www.howtoforge.com/vsftpd_mysql_debian_etch

    is simply brilliant, we figured out a pretty serious security hole:

    This configuration enables system users to log in via FTP using an exclamation mark ("!") as password. On one of our Dev-Servers, I was able to log in as

    ftp
    proftpd
    mysql
    sshd

    ...with full access to the respective home dirs, which may be fatal if you've got your mysql on the same machine.

    This can be solved by adding
    AuthOrder mod_sql.c

    to proftpd.conf.


    greets,
    marcus
     
    marcusr, Aug 29, 2008
    #1
  2. falko

    falko Super Moderator Howtoforge Staff

    falko, Aug 30, 2008
    #2
  3. Norman

    Norman Member HowtoForge Supporter

    I'm unable to replicate this behaviour in my production environment.
     
    Norman, Aug 30, 2008
    #3
  4. edge

    edge Active Member Moderator

    Same here.. I can not replicate this problem on my Debian Etch systems with ProFTPD
     
    edge, Aug 30, 2008
    #4
  5. marcusr

    marcusr New Member

    whoops... pasted the wrong link there. that was supposed to link to the proftpd howto a few lines below...

    I can replicate this behaviour on two machines now, both run on etch, I followed the howto nearly 1:1. I assume the plaintext login is the reason...

    one of these machines is productive and someone already tried to run phpshell ok it - which didn't succeed because the FTP homedir is outside the webroot.

    Google 'nyck.php' gives some interesting hits...
     
    marcusr, Aug 30, 2008
    #5
  6. tal56

    tal56 Member

    I was not able to replicate this with my Centos 5.2 install either.
     
    tal56, Aug 31, 2008
    #6
  7. Norman

    Norman Member HowtoForge Supporter

    Could you post your proftpd.conf ?
     
    Norman, Aug 31, 2008
    #7
  8. marcusr

    marcusr New Member

    hi,
    here's my proftpd.conf (large comments left out)

    Code:
    ------8<-------
Include /etc/proftpd/modules.conf
ServerName                      "Debian"
ServerType                      standalone
DeferWelcome                    off

MultilineRFC2228                on
DefaultServer                   on
ShowSymlinks                    on

TimeoutNoTransfer               600
TimeoutStalled                  600
TimeoutIdle                     1200

DisplayLogin                    welcome.msg
DisplayFirstChdir               .message
ListOptions                     "-l"
UseIPv6                         off

# (if i add this, everything's ok). without, the "!"-problem returns: 
# AuthOrder mod_sql.c

DenyFilter                      \*.*/

Port                            21

MaxInstances                    30

# Set the user and group that the server normally runs at.
User                            ftpuser
Group                           ftpgroup

# Umask 022 is a good standard umask to prevent new files and dirs
# (second parm) from being group and world writable.
Umask                           022  022
# Normally, we want files to be overwriteable.
AllowOverwrite                  on

DefaultRoot ~
UseReverseDNS off
IdentLookups off

   <Global>
   RootLogin off
   #RequireValidShell on
   </Global>

# The passwords in MySQL are encrypted using CRYPT
SQLAuthTypes            Plaintext Crypt
SQLAuthenticate         users groups


# used to connect to the database
# databasename@host database_user user_password
SQLConnectInfo  ftp@localhost proftpd xxxxxxx


# Here we tell ProFTPd the names of the database columns in the "usertable"
# we want it to interact with. Match the names with those in the db
SQLUserInfo     ftpuser userid passwd uid gid homedir shell

# Here we tell ProFTPd the names of the database columns in the "grouptable"
# we want it to interact with. Again the names match with those in the db
SQLGroupInfo    ftpgroup groupname gid members

# set min UID and GID - otherwise these are 999 each
SQLMinID        500

# create a user's home directory on demand if it doesn't exist
SQLHomedirOnDemand on

# Update count every time user logs in
SQLLog PASS updatecount
SQLNamedQuery updatecount UPDATE "count=count+1, accessed=now() WHERE userid='%u'" ftpuser

# Update modified everytime user uploads or deletes a file
SQLLog  STOR,DELE modified
SQLNamedQuery modified UPDATE "modified=now() WHERE userid='%u'" ftpuser

# User quotas
# ===========
QuotaEngine on
QuotaDirectoryTally on
QuotaDisplayUnits Mb
QuotaShowQuotas on

SQLNamedQuery get-quota-limit SELECT "name, quota_type, per_session, limit_type, bytes_in_avail, bytes_out_avail, bytes_xfer_avail, files_in_avail, files_out_
avail, files_xfer_avail FROM ftpquotalimits WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery get-quota-tally SELECT "name, quota_type, bytes_in_used, bytes_out_used, bytes_xfer_used, files_in_used, files_out_used, files_xfer_used FROM ft
pquotatallies WHERE name = '%{0}' AND quota_type = '%{1}'"

SQLNamedQuery update-quota-tally UPDATE "bytes_in_used = bytes_in_used + %{0}, bytes_out_used = bytes_out_used + %{1}, bytes_xfer_used = bytes_xfer_used + %{2
}, files_in_used = files_in_used + %{3}, files_out_used = files_out_used + %{4}, files_xfer_used = files_xfer_used + %{5} WHERE name = '%{6}' AND quota_type =
 '%{7}'" ftpquotatallies

SQLNamedQuery insert-quota-tally INSERT "%{0}, %{1}, %{2}, %{3}, %{4}, %{5}, %{6}, %{7}" ftpquotatallies

QuotaLimitTable sql:/get-quota-limit
QuotaTallyTable sql:/get-quota-tally/update-quota-tally/insert-quota-tally

RootLogin off
RequireValidShell off
------>8-------
    proftpd 1.3.0-19
    proftpd-common 1.2.10-15sarge4
    proftpd-mysql 1.3.0-19

    bye,
    marcus
     
    marcusr, Sep 1, 2008
    #8

Share This Page