From nobody@FreeBSD.org  Mon Oct 11 11:26:01 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 32F1116A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 11 Oct 2004 11:26:01 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 266D943D55
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 11 Oct 2004 11:26:01 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i9BBQ0ve061531
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 11 Oct 2004 11:26:00 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i9BBQ0EI061528;
	Mon, 11 Oct 2004 11:26:00 GMT
	(envelope-from nobody)
Message-Id: <200410111126.i9BBQ0EI061528@www.freebsd.org>
Date: Mon, 11 Oct 2004 11:26:00 GMT
From: winnehr <root@monolit-r.ru>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Anyone can change root on anonymous ftp
X-Send-Pr-Version: www-2.3

>Number:         72508
>Category:       bin
>Synopsis:       ftp(1): Anyone can change root on anonymous ftp
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 11 11:30:20 GMT 2004
>Closed-Date:    Wed Aug 06 14:15:03 UTC 2008
>Last-Modified:  Wed Aug 06 14:15:03 UTC 2008
>Originator:     winnehr
>Release:        FreeBSD 5.1-RELEASE
>Organization:
JSoft
>Environment:
FreeBSD server 5.1-RELEASE FreeBSD 5.1-RELEASE #1: Sat Sep 11 00:43:46 VLAST 2004     winnehr@server:/usr/src/sys/i386/compile/new  i386
>Description:
Anyone can change root on anonymous ftp
>How-To-Repeat:
* logon anonymously on ftp (standart /usr/libexec/ftpd -l in /etc/inetd.conf)
* upload any dir to it and enter to it (for example with programm setup files)
* move on ftp server this dir to any other location (for example /tmp)
* exit from dir on ftp client and.... you in /tmp dir and can move to other dirs
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->feedback 
State-Changed-By: ceri 
State-Changed-When: Mon Oct 11 11:37:29 GMT 2004 
State-Changed-Why:  
To help us understand this better, could you please copy in a transcript 
of a session by mailing it to bug-followup@FreeBSD.org, leaving the 
subject line intact? Thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72508 

From: Night Elf <johnnytk@math.dvgu.ru>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/72508: Anyone can change root on anonymous ftp
Date: Tue, 12 Oct 2004 01:15:46 +1100

 |<-220 server FTP server (Version 6.00LS) ready.
 |->USER anonymous
 |<-331 Guest login ok, send your email address as password.
 |->PASS *hidden*
 |<-230 Guest login ok, access restrictions apply.
 |->SYST
 |<-215 UNIX Type: L8 Version: BSD-199506
 |->PWD
 |<-257 "/" is current directory.
 |->REST 0
 |<-350 Restarting at 0. Send STORE or RETRIEVE to initiate transfer.
 |->PORT 192,168,1,2,8,58
 |<-200 PORT command successful.
 |->LIST -la
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 |->CWD incoming
 |<-250 CWD command successful.
 |->PWD
 |<-257 "/incoming" is current directory.
 |->PORT 192,168,1,2,8,59
 |<-200 PORT command successful.
 |->LIST -la
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 |->MKD upload
 |<-257 "upload" directory created.
 |->PORT 192,168,1,2,8,60
 |<-200 PORT command successful.
 |->LIST -la /incoming/upload/plan.htm
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 |->SIZE /incoming/upload/plan.htm
 |<-550 /incoming/upload/plan.htm: No such file or directory.
 |->TYPE I
 |<-200 Type set to I.
 |->PORT 192,168,1,2,8,61
 |<-200 PORT command successful.
 |->STOR /incoming/upload/plan.htm
 |<-150 Opening BINARY mode data connection for '/incoming/upload/plan.htm'.
 |<-226 Transfer complete (unique file name:/incoming/upload/plan.htm).
 |->PORT 192,168,1,2,8,62
 |<-200 PORT command successful.
 |->TYPE A
 |<-200 Type set to A.
 |->LIST -la
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 |->TYPE I
 |<-200 Type set to I.
 |->CWD upload
 |<-250 CWD command successful.
 |->PWD
 |<-257 "/incoming/upload" is current directory.
 |->PORT 192,168,1,2,8,63
 |<-200 PORT command successful.
 |->TYPE A
 |<-200 Type set to A.
 |->LIST -la
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 
 //dir moved on server
 
 |->TYPE I
 |<-200 Type set to I.
 |->PORT 192,168,1,2,8,64
 |<-200 PORT command successful.
 |->TYPE A
 |<-200 Type set to A.
 |->LIST -la
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 |->TYPE I
 |<-200 Type set to I.
 |->CWD ..
 |<-250 CWD command successful.
 |->PWD
 |<-257 "/usr/local/apache/data/htdocs/antipav" is current directory.
 |->PORT 192,168,1,2,8,65
 |<-200 PORT command successful.
 |->TYPE A
 |<-200 Type set to A.
 |->LIST -la
 |<-150 Opening ASCII mode data connection for '/bin/ls'.
 |<-226 Transfer complete.
 |->TYPE I
 |<-200 Type set to I.
 
 
 Monday, October 11, 2004, 10:40:50 PM, you wrote:
 
 CD> Synopsis: Anyone can change root on anonymous ftp
 
 CD> State-Changed-From-To: open->feedback
 CD> State-Changed-By: ceri
 CD> State-Changed-When: Mon Oct 11 11:37:29 GMT 2004
 CD> State-Changed-Why:
 CD> To help us understand this better, could you please copy in a transcript
 CD> of a session by mailing it to bug-followup@FreeBSD.org, leaving the
 CD> subject line intact? Thanks.
 
 CD> http://www.freebsd.org/cgi/query-pr.cgi?pr=72508
 
 
 
  --==winnehr==--
        aka
 --==Night Elf==--
 
 ICQ: 147472743
 http://jsoft.monolit-r.ru/
 
 
State-Changed-From-To: feedback->open 
State-Changed-By: ceri 
State-Changed-When: Mon Oct 11 17:44:13 GMT 2004 
State-Changed-Why:  
Feedback received. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=72508 

From: Ceri Davies <ceri@FreeBSD.org>
To: FreeBSD Gnats Submit <freebsd-gnats-submit@FreeBSD.org>
Subject: misc/72508: Anyone can change root on anonymous ftp
Date: Mon, 11 Oct 2004 23:44:36 +0100

 Adding to audit trail.
 
 : Date: Tue, 12 Oct 2004 09:34:00 +1100
 : From: Night Elf <johnnytk@math.dvgu.ru>
 : Reply-To: Night Elf <johnnytk@math.dvgu.ru>
 : Message-ID: <1193737456.20041012093400@math.dvgu.ru>
 : To: Ceri Davies <ceri@FreeBSD.org>
 : Subject: Re[2]: misc/72508: Anyone can change root on anonymous ftp
 : References: <redirect-989769@imcs.dvgu.ru>
 : 
 : Moved dir must be within the same disk slice with source ftp dir.
 
State-Changed-From-To: open->closed 
State-Changed-By: edwin 
State-Changed-When: Wed Aug 6 14:02:20 UTC 2008 
State-Changed-Why:  
This is a so called "don't do this" issue. 

> Anyone can change root on anonymous ftp 

That is not true. You need administrator access on the FTP server. 
You need privileges to make the necessary changes to that file 
system. 

Don't move directories from unsecure parts of the filesystem to 
secure parts of the filesystem. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=72508 
>Unformatted:
