Serv-U anti-Overflow Privilege Escalation Solution

Preface:
Everyone should have forgotten three years ago before the Serv-U5.004 version of all versions of the "Serv-U ftpmtm Command Buffer Overflow" and "Serv-u ftp Server LIST Command ultra-long-l Parameter Remote Buffer overflow Vulnerability, this vulnerability has left many server administrators restless, and many large websites and even telecom-grade servers down... with the launch of the new Serv-U version, this leakage does not exist. Although the overflow does not exist, hackers will never stop, so it is accompanied by Serv-U5.0 to 6.0 of the hackers' Common Local Elevation of Privilege defects. (Note: The most common example is webshell + su Privilege Escalation. I enter the "Serv-U Privilege Escalation" keyword in Baidu. The search result is "Baidu". I found about 34,000 related webpages, 0.001 seconds). Therefore, solving the security problem of Serv-U is imminent.

Although Serv-U privilege escalation is strictly not a major Serv-U vulnerability, improper configuration of the Administrator may cause serious consequences; next, leebolin will introduce how to configure Serv-U securely to ensure the security of Serv-U and even servers. Come with me. "Go, go, go... "(CS has been playing a lot recently. Hee: P)

Solution body:

1. We all know that Linux and UNIX systems are more secure than Windows systems because Linux and UNIX system services do not use root permissions, but are used by another individual user with relatively low permissions, for example, the Web Service uses the nobody user. By default, Serv-U runs as a system, and the system's built-in account has full operation permissions on the local machine. Therefore, if attackers exploit Serv-UProgramAttackers can obtain the executable shell, so they can control any directory in the operating system at will.

II. I explained why Serv-U privilege escalation and overflow attacks are terrible. How can we prevent such attacks? The answer is to drop the Serv-U operation permission and control the Serv-U "ACLs" to access the directory... well, let's come with me step by step!

Iii. Serv-U Security Configuration
1. First, use the latest version of Serv-U (the current version is ...). Then try not to select the default installation directory when installing Serv-U. For example, you can install Serv-U in D: /pro_leebolin ^_^/Serv-U #$2008 $ /... (because such a complex directory name can prevent hacker guesses)

2. Then, run the Serv-U command to cancel the MDTM command, modify the Serv-u ftp banner, and enable the FTP log of Serv-U to save it to a non-system disk, the log selects and records the commands and DLL used in Serv-U naming, and sets a strong local management password for Serv-U (because the Elevation of Privilege is mostly due to the default Administrator of Serv-U: localadministrator, default password: # l @ $ AK #. LK; 0 @ P, hehe $ _ $). You can also save the FTP account information of Serv-U to the Registry, do not include INI files in the Serv-U Directory, which is more secure.

3. Enable "Computer Management" to create a user Serv-uadmin and set the password. Withdraw the user from the users group and do not join any group. In the "terminal service configuration file" option of the user, cancel "Allow logon to the terminal server. Disable the local login of the Serv-uadmin user. Choose Control Panel> Administrative Tools> Local Security Policies> Local Policies> User permission assignment> deny local logon. (Note: This user uses it as the service running account of our Serv-U.) [(AD ^ _ ^! Pioneer in the Internet revolution! Server Security Forum [s.s. d. A])]

4. Start running "services. msc" Open Win's Service Manager, find Serv-u ftp server's Serv-U service, and open the "login" dialog box. The default value is "Local SYSTEM account ". We changed it to the Serv-uadmin user we created in 3 and entered the password.

5. The following task is to set the Serv-U operation and the FTP directory's ACLs permissions:
① C:/Documents and Settings/Serv-uadmin directory Add the Serv-uadmin permission to allow Reading and Writing ..

② D:/pro_leebolin ^_^/Serv-U #$2008 $/Add the Serv-uadmin permission to the Serv-uadmin installation directory to allow reading and running. (If you have selected an account to save it in the INI file, you need to add the modification and deletion permissions here, because you need to delete and modify the permissions when adding or deleting an FTP account. Otherwise, you cannot add or delete an FTP account)

③ If the Serv-U account has a registry. Run regedt32.exe to open the Registry Editor. Find the [HKEY_LOCAL_MACHINE/software/Cat Soft] branch. Right-click the parent item, select permissions, and click Advanced to cancel the permission for the parent item to be inherited from the object and all sub-objects, and delete all accounts except admins. Add only the Serv-uadmin account to the permission list of this Sub-key and grant full control permissions. (Skip this step if you have selected to save your account information in the INI file .)

④ Now we can set the ACLs of the web directory. For example, the total directory of my VM is E:/leebolin $ (%; then we can add this web directory to the permissions of the Serv-uadmin account, so that FTP can access our web directory for upload and download. (Because Serv-U is not running in system, only the permissions of admins and Serv-uadmin are available here .)

⑥ If it is an ASP/PHP/HTML Script, the web directory only needs admins & Serv-uadmin & iusr_xx (here iusr_xx refers to the site's anonymous single-user account... about site security and ASP. for more information about net security, see my previousArticle: FSO security risk solution, ASP Trojan webshell security solution, ASP. NET Trojan and webshell security solution, and server security check top ten elements.

4. So far, our Serv-U has simply implemented anti-Elevation of Privilege and anti-overflow. Why? Because the remote overflow of overflow is often performed through further hacking through a shell, and our current Serv-U is not running in the system, even if overflow is executed, and cannot get anything... I don't need to explain this because our Serv-uadmin does not have any system-level ACLs access permissions ..

5. The solution to anti-overflow Elevation of Privilege in Serv-U today is introduced here. Will you see this?

Note: in fact, the security of servers and systems is a general concept. It is possible that your website or even the server will be compromised by a small amount of negligence. Therefore, security policies must take the road to preventing problems before they happen. You cannot be careless in any small place. Today's Security Configuration tips for anti-Serv-U are introduced here... for other aspects of server security configuration experience, see the next article :-) (Note: Due to my learning skills, errors in this article are inevitable. Please forgive me! It is intended to inspire others. If you have a better solution, please do not forget to post ^ 0 ^ on server security forum. Thank you !)

Copyright: This article is copyrighted by the [server security discussion board] and [author]. You can reprint it as needed, however, you must keep the integrity of the document, the source of the information, the author's information, and other links. However, you are not welcome to remove this copyright information from the uploader.

author: Li Bolin/leebolin server security senior system engineer and professional network security consultant. ISP service providers have successfully provided complete network security solutions for many large and medium-sized enterprises in China. He is particularly good at the design of the overall network security solution, the planning of large-scale network engineering, and the provision of a complete series of server security solutions. [S.s. d. A server security discussion area] www.31896.net E-mail: Bolin. lee # gmail.com QQ: 24460394 if you have any suggestions or questions about this article, you can send a letter or QQ to communicate with the author online, or go to server security forum to discuss with the author!