 Here's J.Beele. He is with JJB Consulting. He is best known for the Bastille Linux script, available at all the usual mirrors. Jay is going to be talking today about hacking and securing FTP. So, take it away. Jay is also not going to be up here. He's going to be down here. That's Jay. I'm Jay. Oh my god, that's a nice mic. Yeah. So, yeah, I'll be down here. It's slightly harder to see, but I'm trying to do a little bit of demonstration here today. So, there's the only way I see my screen. Does anyone say speak up? Okay, cool. Anybody got a baseball bat? Okay, so what I want, basically, the talk is kind of simple. There are a bunch of exploits against FTP servers, because FTP servers, especially UFTP, but most of the rest, too, have been bad. And by bad, I mean they have loved giving out root access remotely to anybody who can go and pick up scripts. So, what I want to do is show you how to configure an FTP even, so that it'll actually, you know, so that for most of the attacks that would have worked, the attack fails to work. This is not black magic. This is really simple hardening steps that you can take. And so the idea is the next time that an exploit comes out, even if your version of the software is vulnerable, maybe you aren't vulnerable. Okay? Or maybe the attack doesn't get very far. And as far as I'm concerned, that's a good thing. Okay. So, the very first and the very last slide in these talks is often one encouraging you to just throw out your FTP beam and get rid of it, delete it, remove it. You know you've been to ask them to remove it from the CD. Well, maybe not go that far, but try to get off it yourself. Okay, FTP is, you know, it's probably like some of the lesser drugs. It's a little, you know, it's really convenient and it's definitely hard to get off of. I guess it's kind of like caffeine, you know? It turns out to be useful, but then you find that it was bad for you. Okay. No, caffeine's not bad. It's okay. Keep drinking. Okay. So, why is FTP bad? Because we just say it's bad. It doesn't sound, you know, it doesn't sound so good. So, the first is FTP. It's clear text. If you are typing a name and password, okay? If you're typing a name and password, especially who's hooked into the wireless right now? What are the wireless in here doing? Okay. Well, if we were in the wireless, if you are right now typing you're starting up an FTP session, leaving some files up and down from some account somewhere, somebody else in this room, probably about 25 somebody else's, is probably right now collecting your username and password. They'll be back on your server later tonight. Thank you very much. Okay. So, as far as I'm concerned, that's enough. That's enough for me to just throw out my FTP server. Okay. The next reason, which is not on here, and we're going to spend all day, well, not all day, but the next 40 minutes talking about it, is that FTP servers continue to get rooted eight ways from Sunday. And this seems to happen on a regular recurring business. It seems to happen no matter what FTP server you're running. And it's very fun for everyone who's using it, not very fun for all of us who are getting nailed by the attacks. Okay. Why is FTP bad? Why are there always bugs fill up? One of the reasons is the damn thing was designed by a committee. Okay. I don't know how big a committee it was. It was probably one of those, you know, it was probably designed in an RFC, so probably it ended up starting out small and getting bigger and bigger as everyone threw in their own pet feature. Okay. Anything that has everyone's own pet feature get thrown in here and there and here and there willy-nilly is generally going to end up having a good number of vulnerabilities, or at least one or two. Okay. Why else is FTP bad? Okay. Anybody ever notice that when you're using an FTP client, the data comes to you through a second channel. It's a second port. If you've ever run into a last problem and it's hard to firewall properly, okay, especially when you've got a state for firewall and you've experienced this, you know, you've authenticated. You've told the server who you are. It's sending you, you know, it's responding. Everything is good. You guys get to send you a file. It goes to send you a file. Well, that second channel in FTP session isn't authenticated. Okay. Which means there are some nice tools out there to help you steal other people's FTP file transfers. Okay. Now, each of these could definitely be defeated if you use something like SSH, SFTP. There are Windows clients. There are Mac clients. There's really virtually no reason not to use it. But, you know, if you use something like this, you dodge all this. One of the issues is it's all encrypted. They can't steal your name and password. It's all encrypted so they can't steal your data on the way. So it's, you know, it's pretty nice. It's also pretty easy to firewall properly so we all get to be happy. Okay. So now what I want to do is show you a bunch of vulnerabilities. I'm only going to demo one, but I want to show you a bunch of vulnerabilities and talk about how you can defeat each one of them. Okay. The first one, FTP conversion problem, the first one basically where it worked was anybody ever gone into like, I don't know, a packet storm, you know, to an FTP site like packet storm and, you know, you want everything in directories. Instead of pulling it down, you say, you know, get directory.tar and it builds you a tarball and sends you the tarball. Anybody use that? There's your hand if you have. Okay. Five, six, seven. Okay. So a few of us have used this. Eight, eight, I'm happy. Okay. So this thing is getting used. This was a nice little feature that was added into FTP service. Unfortunately in this case, and this was room 24 through 260. So this was a while ago for Red Hat and Susan and M&X, but who's running Red Hat before 62? Right now. Oh, come on, someone is. Okay. We got one. How's your FTP server, dude? No, I'm just playing. Okay. So I want to show you how this works. I'm going to show you on the slides. I'm going to actually demo it because it's a lot easier to just talk about it. Okay. The first is what we've got to do. It turns out if you tell the FTP server, if you can pass the FTP server with a weird file name, okay. If you can pass a weird file name, you ask for a file name back. That file name ends up getting passed a tar. Because when your FTP server creates a tar ball for you, it's actually running the tar command. Okay. It's running tar. So it runs tar. If we can get it to run tar and pass it, you know, pass it something to pass it a weird, you know, pass it just something of the original design as the FTP program didn't think of, then we can have some fun. Okay. So the first thing you do to make this exploit work is you've got to build a single backdoor programmer script that you can run. Okay. You can't pass it any options. Okay. You can't pass any options or at least I can't make it. I can't pass it any options. So I'm building a backdoor which is just a show script called script. And what that script is going to do is it's going to run Netcat. It's going to tell it to listen on port 6666. Nice and easy to remember. And to run a root shell. Well, I mean not to run a root shell, but to run a shell. Okay. That'll be as whatever user I'm at. What I'm going to do is I need that program to be executable. And I'll talk about this later a little bit if you ask me to. So I tore up a copy of Netcat and that script into a little tar ball, okay, called b.tar. And the last thing is this is blah is the script name we'll be seeing. I create a script called blah that says, untar my tar ball and run my backdoor. Run my backdoor script, okay. You're going to get to see this a second time. The next thing is I create a special file name that the FTP server people were not expecting me to create. Which is minus, minus use, minus compress, minus program equals bash blah. The deal is if I can pass that option, if I can pass that option to tar, what I'm doing is saying, hey, by the way, I'd like to run tar and pull down a directory, but actually while we're at it, I'm kind of chintzy about the bandwidth. Why don't you compress it? Why don't you compress it? Here's this program I got called bash blah. Just use that one, okay. And tar will be happy to do that for you, okay. Because tar is not expecting that you're running this remotely, okay. So tar will be happy to do that for us. And what we're going to do is we're going to FTP up to the target, as I'll show you. We're going to put our B.tar, which is basically our back door. We're going to put the blah script there. We're going to put this weird file name, and then we're going to ask it, we're going to ask us to give that file name back, but with a dot tar on the end. And so what will happen is, okay, what will happen is the server will run our little script. They'll end up running bash blah. Okay, that'll run blah. And what blah will do, not that, what blah will do, if we all remember, is it will open up that tar bow and run our back door, okay. So it's a little convoluted, but actually that's the way a lot of these exploits end up being. As some of you have probably found out on your own. Okay, so what I'll do, is I got to switch to the screen. Oh, no. Sorry, freaking Microsoft. Okay, so I'm going to connect to the FTP server to show you how this works. Oh, or not. Okay, as soon as that, this is, we're running VMware, so it takes a couple seconds. We'll see. Let's see, J-A-Y, password J-A-Y, right. Okay, we'll pick nice, strong passwords here. So, blah, blah, beat our tar, blah, minus, minus, use, compress, program equals, dash, blah. It takes that, mistake number one. It shouldn't be taking a final name, looks like that. Okay, and now let's get it with the dot tar. Oh, no. That's not good. What's that? Oh, yeah, no, no, no, I need the double dash. Oh, come on. Well, let's run our, let's run our put. It's there. Okay, there we go. I'm sure I missed why it didn't work the first time. It's worked this time. I'm happy. Okay, what's happening now? Okay, the FTP server's not doing anything. It says it's doing the transfer. It's just hanging there. Okay, why is it hanging? I didn't crash it. No, it's not that. It's the way now it's waiting for that tar command because it's tying up whatever directory we just asked for. So it's waiting for the tar command to finish running. Well, that tar command is waiting for the, it's waiting for Netcat to finish running. Okay, well, Netcat is, Netcat's waiting for us. Okay, so let's move that screen up. Well, Netcat 192.168.3.129.4666. Okay, I have a special compiled version of Netcat. Okay, so I get a blank. What is that blank? That, whether or not, guys, it's my error prompt, I promise. This is the real deal. You're welcome to try this out later on. Okay, so now what I have right now is UserJ. Okay, this exploit gets you whatever user you open the organ as. If you open anonymous, you end up getting FTP. Okay, but we got UserJ because it's a lot easier to show this version of the exploit. So we got UserJ. Well, that's kind of no fun. I mean, it is fun, but we'd like to have a little bit more. Yeah, okay. Thanks. Okay, so we've got UserJ. We'd like to have a little bit more. I happen to know just from my end map scan or how Telnet was running on this machine, too. The banner told me I'm actually talking to a Red Hat 6.1 box. Okay, so for now I'm on a Red Hat 6.1 box. It turns out there's a program on the box called UserHelper. And UserHelper is a problem, and we've got a tool to help exploit that problem, and that tool is called UserRooter. By the way, as long as I'm at DEF CON, did anybody in this room write that tool? Okay, well, just in case. I've had that happen a few times here. So the person wrote the tool is like, Yeah, yeah, I wrote that one. Thanks, dude. Okay. So the tool is called UserRooter. And it's a real simple script. And the reason it works is there's a program called UserHelper. It's like user-being-user-helper that has a vulnerability in it. And it's a really dumb little vulnerability. I can explain it to you sometime, but not right now. Okay? But anyway, it's a dumb little vulnerability. I got a tool that exploits it. Because we can find that file, or we can run that file, the way this thing works is it runs UserHelper, passes some weird data, and UserHelper goes and craps out and gives us a word shell. And this is another one of those weird shells that doesn't come with a prompt. But that's all I need. I'm happy. Okay? Just in case, I'm still wondering, dude, I got one in the box. There's J's encrypted password. There's Roots encrypted password. If anybody's got crack, we can go and find out what those are for fun. But with Roots, we can do all kinds of stuff on this system. But we're not going to. I know we could spend, like, the entire talk, just, you know, how are we going to nail this guy, Jay? But let's leave his box alone. Please. Okay. So this is what we did. We netcat it into our target. We got a remote shell. Okay? We got a remote shell. We ran UserRooter. Okay, what I've done is I've showed you how we can add, we can add UserRooter to the tarball. When we send up the tarball, just add UserRooter to it. So we ran Netcat. We connected the port. And we grabbed Root, which is very nice. It was very helpful. Much joy. Okay? This exploit is actually a lot harder to pull off anonymously. Okay? So I'm not going to. Because what we ended up getting is userFTP. And then, if everything's set up properly, it's a pain in the butt to get from there to Root. Okay? It is tougher to pull off. Okay? And one of the big reasons it's tougher to pull off is whenever you're on a Root FTP server, and you connect it anonymously, it sticks you in a directory. It sticks you in a true Root prison. Okay? On Red Hat, that's home FTP. You can't get out of home FTP. Okay? Kind of. I'm lying. But the way it's designed, you can't get out of home FTP. You're stuck as a non-user, as userFTP. And there's no fun toys to use, either to hit other systems, although I guess you can bring some with you. But there's no fun toys on the system to give you more privileges. We can't get to user help, but we're stuck in this prison. Okay? That sucks. We end up with userFTP. UserJay, what's the point of that? I mean, yeah, we can read Jay's email. It's kind of good. But, you know, we can't actually, we can't actually, you know, lack that much havoc on the box. Okay? So as defenders, one of the things we're going to talk about is how we can do some of that treating stuff to every user. Okay? Now, how can we avoid the attack entirely? Well, we can avoid the attack entirely if we tell people we're not allowed to use tar. No, you can't ask for a tar bowl of the directory. Okay? And you're not allowed to use the compressed feature. You're not allowed to say, give me a GZIP version of that tar bowl. Now, since there are only eight people in this room, I'd say that we're kind of the most knowledgeable of users because we're hanging out at conferences instead of doing what other people do. You know, there may be, you know, there may be even fewer people in general population who are still using FTP who are going to try to use tar and GZIP or whatever anyway through the FTP server. Okay? So what we can do, one of the ways we can break this exploit is we can just make it so that, we can make it so that you can't actually get the FTP server to run tar. Okay? And get it so you can't run tar. You can get it so you can't run GZIP. Okay? There's other things you can do. Okay? One of them is, as far as the anonymous attack, we can make sure that any time an anonymous user puts files on the server, they can't pull the light back down. Okay? And we're going to talk about how that's, you know, how that's really useful. The biggest issue is, it stops you from getting turned into a, into a wares or divoc site. Okay? People aren't going to use your FTP server if they find it randomly to exchange MP3 files. Okay? You may not like that because you're probably getting some good ones, but what we can do, we can sign up so someone can't download any files that they pulled up right afterwards. The last thing we'll do is we'll put a path filter. The reason that attack worked was there was a, there was a minus minus use compress. Dude, people shouldn't be giving us any files that begin in minus minus. Okay? That, you know, if they want to, they can find some other way to give us those files, but I can find anybody who calls all their Word documents or, you know, whatever we do, and even see programs, minus minus. By the way, before you think the Jman is a Microsoft lover, it's, we're just using PowerPoint because it worked, okay? Don't be throwing anything at me. Laughed at a DEF CON. Okay? So anyway, what we're going to be doing is we're playing with the FTP access file. Sounds like it's the access control for you. Access control configuration file for FTP? Yeah, it is. It's about the only one, too. Okay? This is about the only configuration file for FTP. I don't know if the most FTP servers even came with this originally. I wouldn't know. But, you know, I strongly doubt it. This stuff probably got added. Anyway, what I'm going to do is I'm going to show you how we're going to be changing that file. So the first thing we can do in that file is we can make sure that these six lines, six lines, I can count, six lines are there. Okay? If they're all there, they look different. I'll just change them to this. And what this says is anybody who's using the FTP client can't ask for compression. They can't ask for tarring. They can't change the, they can't change the permission that's on a file. They can't delete any files. They can't override them and they cannot rename them. Okay? Because some of that renaming would be really useful to us. We can upload a file with a different name and then rename it to dash dash. So rename's bad. So we just change that stuff off. We actually get pretty far. I've also included instructions on how you can make an anonymous upload area that we're not going to let anyone write to. I'm not going to go through each of the lines here. Okay? But I'm just giving them to use to be useful. Okay? And in the, basically there's two lines that we do. What we do is we're going to create an incoming directory. Okay? In home FTP, the place that all the anonymous users get stuck in, we create an old directory called incoming. We can say you can put files in there. Files go in. They don't go back out. Okay? And put files in there. You can't pull them back down. And the idea behind that is you don't get used as a WERS trading site unless you want to. You don't get used. You don't get, and you don't, you don't end up having exploits like this work. Okay? So what if you want to exchange files? Because people upload them. You have somebody or some postscript. Okay? That goes and moves them over. Maybe after inspecting them, maybe not your call. Okay? But at least you stop the exploits. And maybe you stop people you don't want to use, want to use for exchange from using you for exchange. So the Microsoft people, I don't mean that exchange. Okay? Um, what else can we do? There's just little steps. We can set a UMask. Okay? What's a UMask? All the Unix users in the room probably know what a UMask is. It says what permission bits can't be set. And trust me, what this one means is any file you upload will not be readable, writeable, executable by anybody, but the user put it up there. Okay? Or by user FTP or whatever. And then finally, any file that's put on there may be readable. It's writeable by you, but you can't run it. Okay? So if you're going to upload backdoors, you're going to have to find some other way to run it. Okay? The last trick did not depend on this UMask, but this is just true. Okay? It's another vulnerability. This one was a denial of service vulnerability. This is quoted directly from security focus. And what this will do is slam the UFTP server down. Okay? Maybe it'll reboot the box. Okay? This works on Red Hat 6.2 and Sousa 7.3. And it also works on LSX 10 and 10.01. It works on Soler State. Works on the raised version of HPX. Yes, there are still a lot of extremely vulnerable HPX boxes out there. More on that later. Okay? You can stop this. There is a way we can do in terms of stopping this attack. Well, the one is we can contain it. Okay? We can contain it by making sure by putting in some resource limits. So if the FTP server inner pattern that it can't resolve, okay, then, you know, it doesn't take over the entire, it doesn't take over all the runtime on the system, which is nice. Because any of you in the area who is an assistant of the FTP server, weird command, you rather just have the FTP server fall down and you can take it back, you can bring it back up in the morning. You don't want to get culling because the whole machine hung and whatever it is that's vital on that thing like the web server. Try to avoid it as a path filter. Path filter is an actual filter on what file names are allowed to be uploaded and downloaded from the FTP server. Okay? We tell FTP to run at the high nice level. Tell it to be very nice other processes. Okay? Run it. Okay? I gave you 10. You can put it outside. I didn't do it. We're near the airport. Okay. We're near the airport. You can also, this is on a Linux box that's called limits.com. Etsy security limits.com. And what you can do in there is actually is actually go and put some really, really fine tune limits on how much memory that's, on how much memory, how much CPU that this thing can use. I don't have good numbers to recommend to you. They seem to very, very much by implementation and psych. I've tested for me a lot. I still don't think I've given to you because I might break something you might get really mad at me. So you can use the proc info command on a running FTP process or any process to kind of find out how much memory it's using and so on and try to set good limits. And once you do, these are the kind of limits you can set in limits.com. Okay? Basically, most of them deal with how much memory and what kind of memory the thing can use. Okay? Another exploit. There was an FTP, there was another there was another globbing vulnerability. Globbing is where you put star in or question mark in and it matches different file names. It changes their stars and it expands into a bunch of file names. It's called globbing. Okay? Globbing is something we can't turn off or I'd be telling you how to. Okay? New FTP 261 had another had another vulnerability in the globbing code. Okay? It was in it was in up through 261. Right at 7.2. Sousa 7.3. Mandrake 8.1. Vulnerable. This slide originally said exploit is out is believed to be in circulation but not publicly available. I got it on I'm very trustable I'm very trustable not word yesterday that there actually is an exploit out. Does anybody have it? If anybody has that exploit I really appreciate get him. I'm serious. I really appreciate giving it because I can show it to other people or just see it or something. Okay? You can test to see whether the server is vulnerable and I recommend you try this with your printers or whatever if you've got printers with FTP servers by the way if you've got a printer attached to your network and you think it doesn't have an FTP server most of the time the answers think again a lot of them do and they're running old FTP servers that have a whole bunch of vulnerabilities. If you run this you just else till the till the left bracket you'll see the FTP server hang. Okay? I guess if this isn't a globbing code we can't shut it off. The best thing you can do is since somebody needs an authenticated session to actually run that don't let them have one. Okay? If you're not using the anonymous mode on your FTP server or if you decide as a result of this talk or others that instead of running that part of the FTP you're going to do out of the web server turn the anonymous mode off and you don't get nailed unless someone steals an account. Now the way we did it was the way we did the export the week that I showed you was we assumed that I'd stolen Jay's account. Okay? But in this room it's probably not that week because maybe Jay's sitting in the front row and he's FTPing away and I'm like name and password really good. Okay? I know where to go. Okay? So you can't necessarily stop someone from stealing an account especially if you especially if you're at a university. How many people in here work at universities? Okay? For those of you at universities how many stolen accounts do you guys think you see in a month? Don't know? Okay? When I was at a university we saw we saw a big number yesterday. I gave this talk at Black Hat as well and the answer the answer somebody gave me was about 20 a month. Okay? Let's just say it happens probably often enough for the university. It happens often enough anywhere you've got people using FTP. One of the best things you can do is try to stop those accounts from getting stolen. That one's hard. In terms of actually containing the attack okay? This one this one is adults but actually the other thing it can do is I don't have the exploit but if I did what it could do is actually run remote code as root. Okay? It can run remote code as root. That's no fun. This attack just like another one is actually able to get the FTP server which is supposed to which is supposed to drop down from root to go back up. Okay? And when it goes back up you're able to break out you're also able to break out of the troop jail if you're stalking one. Okay? The deal is you can stop this and I'm going to show you how to do this but you can stop this kind of attack from giving somebody root by never running the FTP server as root in the first place. Okay? The FTP server is run by INETD or XINETD. Okay? That program runs as root and it passes off when it gets connections in an FTP port it starts up the FTP program and it passes into connection and it runs as whatever user it's told to run it as which is generally root. The reason it's going to run as root is if I log in if I log in as user J it has to be able to switch over to user J and only let me write files and get files that J should be able to get. If it stayed as root I could just like say hey, give me the shadow password. You know? Oh, by the way, why are you at it? Why don't you put up this replacement shadow file for me? You know? So we don't want to we don't... it doesn't run as root it starts as root and drops down. The deal is if you're only using FTP for anonymous I don't know how many of you are running FTP and are running it as you know, running it to help users out to allow ordinary users to log in and push up their files and pull their files down but if you're not and you're only using anonymous mode then you can set this thing to just start as root and start as user FTP and stay as FTP because remember when somebody logs in anonymous the server is switching into user FTP and it's staying there until they disconnect and the next person logs in starts as root switches to user FTP again, keeps going like that well, you can just start as FTP and leave it that way because if it does then any attack that would have given somebody root that would have had the FTP and give them root directly by going up by going straight up from one user up to root that will work because it can't go up to a privilege that it never had it's just that unix works okay so I'll show you how to do that I just want to show you one more vulnerability where this kind of defensive measure is useful okay, when a FTP had a format string vulnerability back when all the format string vulnerabilities came out it out of all the format string vulnerability these things are still getting discovered I'm sure they're not all out yet okay the nice thing was that you could log as an anonymous and go directly to root okay, they're wondering you didn't have to use any privilege escalation nothing like that start as anonymous go to root so great I've seen the code I've got the code if anybody wants to look at it after the talk it's really nice one of the things it does it says hey can you switch me back to root I mean we would just root so can't we just go back so it switches it switches the FTP so we're back to root breaks out of the root prison that was stuck in and hands you a root shell very, very, very useful thing okay the TASO's got a vulnerability from what I called 7350 or Woon.C okay and like I said you can use this you can use this to get back to root even when you're logging in as user FTP through an anonymous session the nice thing about this particular thing is if it's run by the script kiddies in its default mode when an FTP surgrasses for password on anonymous mode it says hey give me your real address as your password it just gives it Mozilla add okay the nice thing about Mozilla add is your email address you know if you all go on to an anonymous FTP site and it says you know give me you type an anonymous it says an anonymous access okay type you know type your email address as a password okay well most of them if you type in you know screw you it's like yeah I'll screw myself and you can have access just next time please be nicer so what we can do is we can tell it one of the things I'll show you how to do is we can tell it no only accept something if it actually looks like a real FTP a real email address doesn't have to be a real email address but it has to look like one okay so if it looks like one if we tell if we enforce this this exploit breaks okay it's really kind of cool additionally if we start the FTP server off as user FTP this exploit is still work but it won't give you root it'll give you user FTP okay it'll give you user FTP and while people have figured out easily how to get root to break out of true prisons as user FTP I don't know I don't know of any techniques doesn't mean that somebody in this room doesn't have one okay but it means that at least I don't know about it and it's not widely publicized which is great for us because we're getting attacked by tons of people who don't have the coolest new tools another airplane okay so I'll show you how to I'll show you how to do each of these the first is there's usually a line in most of your FTP community FTP access files it says password check RCA 22 and then it says warn or it says trivial you know it says warn it says warn okay remember it's like screw you yes I will go screw myself I'm just you know but it'd be nicer next time it'll say enforce okay when enforce says don't let someone in break the connection the nice thing is that when you have a script kitty and he's running Toso's exploit when you have a worm that's running Toso's exploit each of them well this I don't know what it is I generally think the script kitty is about as smart as worms if you are a script kitty don't hurt me but you know I think it's about as about as smart as worms each of them generally doesn't recover from the first error very well even if the error was what the hell I need a real email address script kitty doesn't know how the exploit works doesn't notice that Missile thing says ah fuck it I'll go and try another exploit or I'll go and try another server okay either way either way the exploit is broken or it doesn't work against this server either way we're good the worm just doesn't hit you okay it attacked it didn't work that's fine it goes on from right there me okay the site exact problem was red hat up to 6-2 sues up to 7-3 HPX hey the most recent release 11-11 very new still got an old ftp server version okay now site exact again very annoyingly can't be deactivated I've looked I can't figure out how to do it um you really can't do much there is a command that tells you how many lines of output to give you I don't know if I don't know if we're gonna get anywhere with that but what you can do is like I said first do that little trick we did it's gonna it's gonna halt the worms at least additionally make the ftp server run as user ftp instead of as root okay if we can do that if we can do that we're in good shape because the the script kitty heck you know the real hacker or even the worm they all you know if they get access they get it as they get it as user ftp not as root they're stuck in a little cheroop prison if they got uploading programs they've been running their own programs okay but they had to have made sure to upload those programs before they broke the ftp server because the ftp server is broken now okay or maybe it's not okay so they can bring programs with them but they're not gonna get anywhere because no local exploits gonna work unless you know the one or two programs that's in the true prison is actually vulnerable you all know you understand how this true prison idea works anybody confused okay your liars but no it's cool okay basically there's nothing in there that's stuck in the directory that's got like six files whatever files the ftp server needed to run and only one program and that's ls so unless there's a vulnerability in ls and it could be but unless there's a vulnerability in ls you don't get anywhere and by the way it's a statically linked ls so don't get any dynamically linked stuff okay so how do we do that how do we run this ftp server as user ftp instead of root or if using ftp you change user from user equals root to user equals ftp if you're using an id.conf then you just change this little thing right here it was root we changed it to ftp and we're good okay any questions so far okay cool okay now we said before truiting is going to contain truiting the nice thing is truiting okay but root can break out of it what we've done is we've just basically decided we're not going we're not going to trust the ftp server to actually drop privilege we're going to force it to have less privilege in the first place so it doesn't have to drop privilege and maybe get it back it just starts out with nothing okay there's I think this is the last vulnerability I'm going to show you and this vulnerability is basically you ever go to ftp site and greet you with a nice little message it says we have you know we have no this site is so and so you might want to look at this only director because that's why the mp3s are okay if you're not using this message function is called message if you're not using it we can turn this off the reason is the vulnerability exists is the message thing is a nice feature it has a little thing like every time someone changes director you show them this message this message can have little things like aaten myself or you know %n how many users are currently logged in this is another feature okay one of the biggest things I do when I'm trying to harden applications when I'm trying to harden servers is I try to turn off all the features that I'm not using and if I can I try to convince myself we are users there may be some features that we don't need as much that we can turn off too because the big deal is find a vulnerability in a piece of software. The great thing here, I mean I know you all think I'm right, but wait, I like my features. Okay, well the thing is, yeah, you like your features, choose which ones you like, keep those. The rest, turn them off because maybe one of the ends of having a vulnerability, you'd rather not have the vulnerability, especially if it's a real word grab. Trust me on this. Okay, there's a buffer of a flow in that feature. It can be exploited if somebody can write a message file. They give you root if you can write a message file. It's just pretty nice. Now, you can turn this off because what you do is you just remove those two message lines. Another possibility if you have to keep this functional is you just make sure that every single freaking directory that can have a message file, okay, isn't writeable. Now what else does that mean? What about the directories that don't exist? We have to make sure they can't make directories because if they can make directories or upload directories, that's not so good because then they can put their own message file in there and grab root. Okay, well, one of the things we did with that upload area, the upload instructions I gave you, there's something called no do's in it, which says somebody who's uploading cannot create directories in the incoming area. They can't create new directories. All they do is switch around and move among directories. And these are basically standard, that kind of thing is just a standard recommendation and it's to stop specifically things like this. People creating directories, they're gonna stop, stick dot message files in. The other big way to stop this dot message file thing is with that path filter we were talking about. The thing that stops anybody from uploading something that begins in a dot or a dash, okay? So, if we can set a path filter, this is avoidance, it's all about avoidance or containment, this is avoidance. If we can stop somebody from writing any file that begins in a period, they can't upload their own dot message file, okay? This is again, the path filter thing, if you look at the FTP man page, it's a standard recommendation, because the idea is if people could upload files that began in a period, if they could upload files that began in a period, then they'd end up uploading hidden files. You wouldn't see them, maybe they're real big, maybe they're bad, whatever. So we don't want that in general and it also happens to stop this exploit. Okay, the big message here is, okay, what I'm doing is I'm teaching you what a hard and FTP server, not just to break the five exploits that I bought with me, but to break the sixth one, the next one that comes out. The idea is when the next exploit comes out and it might be out right now and most of us don't know about it. And there's one guy in the back of the room, Chuckling, you know, he's gonna get Jay. Okay, the idea is to be hardened to harden the server. Okay, so when that guy's got his exploit, none of us know about it, the vendor sure as heck doesn't know about it, whatever, the guy who writes who FTP doesn't know about it, so nobody's issuing a patch because nobody knows about it. The idea is we don't get hit. He tries it on us, it doesn't work because we're hardened. He tries to know people, they get hit, they wonder, is there a new vulnerability that FTP that I don't know about? You know, and the answer is yes. So the idea is we're trying to apply this stuff, best practices, whatever, ideas that Jay comes up with, ideas that somebody else came up with, to try to stop people from breaking us with vulnerabilities, either ones that we're vulnerable to now and we know about, or the ones we're vulnerable to and we don't know about yet. No, I'll have the fun, by the way. Okay, cool. Okay, what else can we do? We can also move over message lines from the configuration file. I showed you which ones those were. Pull them to hack out. We pull them to hack out and then somebody can't use this against us, which is really nice, okay? It's really nice, we didn't have to do much. Just pull out those two configuration lines that all of a sudden we're not vulnerable anymore. I'm really liking that. Here's how you pull them out. It's a little grep command. It just says remove any lines that look like message. Okay, avoidance is really good. If we're not able to avoid, we definitely want to contain. And I showed you, I've talked at some length about how you want to do this. You want to just run your FTP service, use your FTP. If you're only using anonymous mode, this is exactly what you want, okay? I showed you how to do that. What else do we want to do? This additional stuff, here's logging. Logging is the second most boring area of security. Okay, first most boring area of computer security is patching. Patching and logging. Patching helps you avoid this stuff. Logging helps you know when you've gotten hit by it or when someone's trying to hit you by it. We want logging, I'm sorry we want it, but it's very useful. Logging security says, Logging looks like a security violation. So when he mistypes the password, let me know about it. Because it might be somebody just cares for missing it, but if they miss it 50 times in a row, that might be someone trying to guess the password. Log all the commands. What the hell, let's be paranoid. Every time somebody types a command, let's log it. Disk space is cheap these days. You can cycle your logs if you're worried about it. Let's log it. Okay. What else can we do? There's an FTP users file on every system. That file says what users aren't allowed to use FTP. Okay, normally one of the things I stand up here and say is, okay, make sure to put every single user that's like a normal, that's like a system user, not a human into this file. Like okay, don't miss any of them. Well, screws don't miss any of them. If you know the UID, if you know the user ID that the system users end at, you just say deny UID, don't let anyone log in. If they're between zero, that's what the lack of number means, between zero and four, nine, nine. On a Red Hat system, it's zero through four, nine, nine. Okay, on a Solar System, it's zero through nine, nine. If you want to know on yours, you probably take a look. But yeah, so we set that. Okay, the last major thing I want to talk about is worms auto-readers. Nice little tool is they run on reading boxes for you and they just go and read a bunch of boxes and tell the owner, potentially. Hey, these are all the systems I got for you. What have you done for me? Okay, these give you really nice gifts. Okay, the Honeyhead Project, Honeyhead Project has a few fun statistics. One of them is they took a machine, well, this isn't a statistic, it's anecdotal, right? They took a machine, the Star Red Hat 6.2, they put it down, plugged it into that work. 92 seconds later, the system had been scanned, it had been compromised and it was now looking for other systems because a worm had come through, had gone and been scanning that portion of it, that portion of the IP address space, found it, exploited it, started a shop there and started going and scanning for more machines. 92 seconds, okay? The fastest time of the human was 15 minutes. So then this is just like automated hackers. Script kitties will get you real quick. There are script kitties in the room? Yeah, I know, okay? Now, the nice thing is about worms and script kitties is often they sacrifice knowledge for intelligence for speed or laziness or whatever. So in the case of the worm, they generally do it for speed sake or they do it because the person is writing it, just didn't think to write it or add more, that maybe they're lazy, maybe they didn't know how. What the worm does, is it goes around scanning FTP server banners for build dates, not for version numbers, but actually for build dates because it knows the particular things that it's got working shell code for, so it's looking for them. The circuit is, we can avoid being attacked. Even when we're fricking vulnerable, we don't have to get time for this thing if it just starts things that we don't have a real FTP server. It's not a two minute warning or 10 minute. Two minutes. Go fast, Jay. Okay? This tool, what it does, okay, there's also another one, auto-woo. Okay? I don't know, anybody that wouldn't write auto-woo? Nobody wants to raise their hand. Okay, fine. What this tool does is it scans big old networks looking for vulnerable versions and I think that one actually looks by versions and if your banner matches the right one then it attacks you. Each of these two tools, this is an auto-woo. So you fire this off, you give it a class B that you want to target and it goes, root says, many machines is a kind of a class B, it lets you know which machines you now own. Okay? Class B is like 65,536 addresses, few less usually. Okay? You might get 1,000 systems, whatever they wouldn't give for 1,000 systems. Okay? The nice thing is, if your banner doesn't look like real FTP, this doesn't work. Okay, so what do you do? Well, when FTP will actually let you set your banner, you can say greeting terse, which means don't give out your version number, just give out FTP server ready. Okay? Well, you can also give it, let it do arbitrary text. I don't know how many of you can read this, but what I do is instead of greeting terse, I put greeting text and now mine says pro FTPD 1.2.0.10 server. Why is this nice? If you were on this, doesn't match any of your patterns. Doesn't have the build that you're looking for. Okay? It doesn't have the version number you're looking for. Doesn't even say rule. Okay? If you're a script kitty, or maybe even a hacker. Okay? What does it do? It says, I'm pro. You're like, okay, I'll get out my pro tools. This one's not a rule. This one's not a rule server. I can't use my rule exploits. I'll have to come up with my pro exploits. So you're saying they're firing your pro exploits in a rule server. It's not vulnerable. At least if it is vulnerable to the same problems, the general attack has to be very, very, very tied to the target. So it doesn't get anywhere. And this is like really easy. How many of you are shouting, security through obscurity? Okay, nobody's shouting that. But when I get people to shout about my first quote, my first answer is, hey, it worked. You know? It's like, okay, I'm gonna do everything possible I can to protect this thing. I'm gonna do everything I can to keep the sucker patched. It'll be really nice if I didn't get hit with, if I didn't get hit with some of the exploits because whoever it was that was gonna exploit me figured I wasn't vulnerable. That'd be nice too. Okay? Either way you'll have to, you'll also have to, that greeting better, you'll also have to change your stat banner. Okay, stat is once you log in, you can type stat. It'll tell you what kind of server it is. So you gotta make sure to get it in the other, get it in both places. Okay, quick recap of all the stuff we put. This is an FTP access file. This is the one we just built with all those little things I was showing you. I do this so you can, so you've got some of the copy and take home. First couple lines were already there. Compress, charge, mod, delete, overwrite, right in. You can't do any of that stuff. Good. Okay, most of the recent FTPs that was the only you'd last for, we're gonna have the first two to that too. Okay? We created an upload earlier. We said you could upload stuff, but you can't pull it back down. You can't create any directories. We're gonna make sure you enter a real password. That means if one of these only, we lose one of these worms right around, and it gives out, you know, Mozilla app as a password, it's not gonna work. Cause it's not actually gonna get to log in to the FTP server to deliver the payload. Okay, what else? Tons of logging, like we said. Finally, basically, we said non-human users can't use this. Greeting text, start text. We're gonna call ourselves a pro FTP server just to throw people off. Depth you mask to get good permissions. Nice has been set so if this thing gets tossed, it doesn't take down the whole box. Okay, I've also included some slides. By the way, these slides are on my website. I'll put it back, I'll give you my website again. The website basically is Jay's page on BastioMinusLinux.org. But I've given you a pattern for how you can use the guest functionality to basically make sure that every user that logs in, or at least every user you can find as guest, is stuck in a true to directory. So if someone steals one of the accounts in your system, okay, they're stolen account, great, but they can't get to root because they can't go and find the user helper or the one that we used in the beginning of this to actually get root from when we just stolen account. So I've given you slides on how to do this. Okay, I have two more ideas. One of the ones I heard of the party the other night, try it out, it's really good. Turn your FTP server into a virtual server. Someone has to know the name of the server to interact with it, okay? If you turn off normal server, you should turn this into a virtual server. Someone has to know the name of your FTP server just to talk to it, much less to exploit it. If they're just getting by IP address, they won't find it. Because your FTP server only answers back when someone actually talks to it by its right name. This virtual server stuff is just like on web servers. Okay, and what I do is I show you how to do this. Okay, the other issue is, you can try to get rid of root, okay? You can go pro or open DSDs, but they've each been root at some point. So that only gets you so far. Okay, the big alternative is VSFTPD. It's got a much, much, much better design. Designed for security from the get go, okay? It's not that old and so they're able to just start it as a small thing, not a huge number of features and it shouldn't be exploited too easily. Basically, it's real simple. Lots of small little programs. The programs that are privileged aren't really directly interacting with you and it's all good. Pull it down from beast.org. I'd love to know how they came up with the name. The last thing is, try to get away from FTP. Like I said earlier, use SFTP, use SCP, okay? There are, this is part of SSH. There are clients for MacOS. There are clients for Windows. They're free, no excuse now, okay? Also, use your web server to give out files to everybody and their brother. They've been a lot better in terms of security history. Okay, so now go in peace. My talk is ended, okay? Please go and if you're running an FTP server, do this stuff. Problem I always have is I go in and give these talks. They tell people to harden systems. They go home, they don't harden them. They call me back up later and ask me if I can do forensics. Okay, yes, I'll do forensics for you, but I'd much rather you just call me and say, thanks a lot for that talk. We're able to do some cool stuff. Okay, that's it. I'm Jay, I'm out of here. Next show is tomorrow, talking about Bastille Linux. Okay? New tomorrow, I'm talking about Bastille Linux in the, well, somewhere in the hotel. I got cards. Anyone who wants a card, come up and get one. Yeah, yeah, I got a card.