Below is an example Nessus report and the corresponding NcFTPd verbose log entries, with notes about how NcFTPd is handling each test. It is advisable to compare our report with yours and let us know if your report has any additional messages which could indicate a new false alarm which should be documented in our report, or an actual vulnerability.
The tests follow. The actual text of the messages logged by NcFTPd and Nessus may vary according to the version of the software you have installed.
It was possible to get the listing of the remote root
directory by issuing the command
LIST C:\
The data we could get is :
C: No such file or directory
NcFTPd is simply returning the error message "No such file or directory" back on the data stream, as many other FTP servers do.
The remote FTP server seems to be vulnerable to an exhaustion
attack which may makes it consume all available memory on the remote
host when it receive the command :
NLST /../*/../*/../*/../*/../*/../*/../*/../*/../*/../
Solution : upgrade to ProFTPd 1.2.2 if the remote server is proftpd,
or contact your vendor for a patch.
Risk factor :
High
The verbose log entries below show that the attempt to escape the restricted directory was unsuccessful. The timestamps on the log entries also show that a denial-of-service did not occur since the directory listing completed in the same second.
2001-06-30 08:02:09 #u3 | << NLST /../*/../ 2001-06-30 08:02:09 #u3 | >> 150 Data connection accepted from 192.168.5.27:54460; transfer starting. 2001-06-30 08:02:09 #u3 | [/home] not in ~ftp=[/home/ftp] 2001-06-30 08:02:09 #u3 | Data connection closed. 2001-06-30 08:02:09 #u3 | >> 226 Listing completed.
The remote FTP server closes
the connection when one of the commands
USER, PASS or HELP is given with a too
long argument.
This probably due to a buffer overflow, which
allows anyone to execute arbitrary code
on the remote host.
This problem is threatening, because
the attackers don't need an account
to exploit this flaw.
Solution : Upgrade your FTP server or change it
Risk factor :
High
The verbose log entries below show that the buffer-overflow did not succeed, and NcFTPd simply forcefully disconnected the remote user when this was detected. Note that NcFTPd purposely waited two seconds before sending the "550" message back to the remote client, and another two seconds after sending it.
2001-06-30 08:14:03 #u3 | Detected and prevented a Buffer-overflow attempt by user from BadGuy.Example.com. 2001-06-30 08:14:05 #u3 | >> 550 Your anti-social behavior has been logged. You will now be disconnected. 2001-06-30 08:14:07 #u3 | Misc error, closed connection.
