NcFTPd : FAQ: Security: Nessus

 

My Nessus security scanner is reporting vulnerabilities.

Below is an example Nessus report and the corresponding NcFTPd verbose log entries, with notes about how NcFTPd is handling each test. It is advisable to compare our report with yours and let us know if your report has any additional messages which could indicate a new false alarm which should be documented in our report, or an actual vulnerability.

The tests follow.  The actual text of the messages logged by NcFTPd and Nessus may vary according to the version of the software you have installed.


Vulnerability found on port ftp (21/tcp) :

    It was possible to get the listing of the remote root
    directory by issuing the command
    
    LIST C:\
    The data we could get is :
    C: No such file or directory

Comments:

NcFTPd is simply returning the error message "No such file or directory" back on the data stream, as many other FTP servers do.


Vulnerability found on port ftp (21/tcp) :

    The remote FTP server seems to be vulnerable to an exhaustion
    attack which may makes it consume all available memory on the remote
    host when it receive the command :
    
    	NLST /../*/../*/../*/../*/../*/../*/../*/../*/../*/../	
    	
    
    Solution : upgrade to ProFTPd 1.2.2 if the remote server is proftpd,
    or contact your vendor for a patch.
    Risk factor :
     High

Comments:

The verbose log entries below show that the attempt to escape the restricted directory was unsuccessful.  The timestamps on the log entries also show that a denial-of-service did not occur since the directory listing completed in the same second.

2001-06-30 08:02:09 #u3     | << NLST /../*/../
2001-06-30 08:02:09 #u3     | >> 150 Data connection accepted from 192.168.5.27:54460; transfer starting.
2001-06-30 08:02:09 #u3     | [/home] not in ~ftp=[/home/ftp]
2001-06-30 08:02:09 #u3     | Data connection closed.
2001-06-30 08:02:09 #u3     | >> 226 Listing completed.

Vulnerability found on port ftp (21/tcp) :

    The remote FTP server closes
    the connection when one of the commands
    USER, PASS or HELP is given with a too 
    long argument. 
    
    This probably due to a buffer overflow, which
    allows anyone to execute arbitrary code
    on the remote host.
    
    This problem is threatening, because
    the attackers don't need an account 
    to exploit this flaw.
    
    Solution : Upgrade your FTP server or change it
    Risk factor :
     High

Comments:

The verbose log entries below show that the buffer-overflow did not succeed, and NcFTPd simply forcefully disconnected the remote user when this was detected.  Note that NcFTPd purposely waited two seconds before sending the "550" message back to the remote client, and another two seconds after sending it.

2001-06-30 08:14:03 #u3     | Detected and prevented a Buffer-overflow attempt by user from BadGuy.Example.com.
2001-06-30 08:14:05 #u3     | >> 550 Your anti-social behavior has been logged.  You will now be disconnected.
2001-06-30 08:14:07 #u3     | Misc error, closed connection.

Up
 NcFTPd Home