Serv-u is a very powerful FTP server software, the interface is simple, easy to use, whether it is for commercial purposes, or personal ftp, it is almost the preferred software, and nearly two years of continuous release of the various versions of security loopholes, but let everyone in the use of serv-u have to leave a mind.
means of attack
The current network on the popular vulnerability attacks, software defects caused by the overflow is the most critical, simply said that the overflow is for software bugs, commit the construction of malicious code, resulting in software execution attacker's code or instructions. From 2004-2005 Serv-u has appeared 4~5 overflow loophole, extremely serious can remotely obtain the computer the complete Management authority, very dangerous, this will directly cause our personal privacy completely to leak, the intruder may through the loophole enters our computer, wantonly to look through the computer the article, the photograph. Currently in the network attack means, mainly have sniffer eavesdropping, malicious attack, privilege elevation, account hiding, leak overflow Five ways, and these are a interrelated process.
Sniff eavesdropping: This is a prelude to the Serv-u attack. Intruders will eavesdrop on the FTP password with some sniffer software, after all, some of the attack tools must have an account to carry out the attack.
Malicious attack: Using a large-volume file attack, an intruder can use this vulnerability to send a large volume of files to the Serv-u software and then cause the FTP to not handle it and cause the program to be unresponsive or shut down automatically.
Privilege elevation: Provided that the attacker obtains full control of the Serv-u installation directory. If Serv-u writes configuration information to a file with the extension ini, most attackers will infiltrate the target host Web service, such as using popular SQL injection, uploading vulnerabilities to invade, In turn, the Serv-u installation directory is implemented with a tamper-servudaemon.ini file, replacing the configuration information that you have set up to have Execute permissions to get administrator privileges.
Account hiding: Through the Third-party plug-ins (serv-u expansion Library), to achieve "account-mapping", that is, a fixed account under the mapping of several sub accounts, inherit the account permissions. An attacker would have to get write access to the Serv-u directory and use Plug-ins to hide the account.
Vulnerability overflow: In general, an attacker who compiles or looks for an overflow attack on the network to overflow the target system after determining the version has an overflow vulnerability will succeed in obtaining system privileges on the target system, so that the overflow succeeds when the serv-u is run by default with system privileges. The resulting permissions are system permissions.
You may find that, in addition to software exceptions, Serv-u directory read and Write permission has become the key, you may think of setting a good serv-u directory permissions, security can be guaranteed, in fact, security is a whole. Most of the time, the Web server is installed on the server with Serv-u, we have to take the two into account, to make the security well.
One analog intrusion
We can find the relevant serv-u loopholes in the past year from the "Green Union" vulnerability database of the authoritative security organization in China, the results are surprising, and there is a loophole on average for three months.
2004-09-14 serv-u FTP Server device file name Remote denial of service vulnerability
2004-08-09 serv-u Local privilege elevation vulnerability
2004-04-22 serv-u FTP Server List command long-l parameter remote buffer Overflow vulnerability
2004-02-27 serv-u FTP server MDTM command remote buffer Overflow vulnerability
2004-01-29 serv-u FTP Server site chmod command Ultra long file name Remote Overflow vulnerability
Here we take the serv-u local privilege elevation vulnerability as an example to illustrate its harmfulness.
PCs tips: Although the password security Settings feature is added to the serv-u6.0.0.2. However, the author of this article in the test of serv-u6.0.0.2 found that the installation of Serv-u server permissions are not set up when the permissions are still able to improve the success.
Vulnerability Discovery Date: 2004-08-09
Impact Version: Rhinosoft serv-u 3.0.0.20 to Rhinosoft serv-u 6.0.0.2
Vulnerability Hazard: There is a design problem with serv-u, a local attacker can exploit this vulnerability to execute arbitrary commands on the operating system with system privileges.
Test environment: Microsoft Windows Server 2003, Enterprise edition+serv-u FTP Server 6.0.0.2
Test process:
Step one: Log on to Windows as a regular user, enter CMD in the Start menu's Run window, and enter SERV-U6 at the command prompt (run Serv-u6 local elevated rights tool, see Figure 1):
Enter Serv-u6.exe 43958 "NET user test Test/add" to add a user named "Test".
Step Two: Then enter Serv-u6.exe 43958 "net localgroup Administrators Test/add" to elevate this account to Superuser rights, if successful, then the software interface will return the prompt information
<220 serv-u FTP Server v6.0 for WinSock ready ...
>user Localadministrator
<331 User name Okay, need password.
******************************************************
>pass #l @ $ak #.lk;0@p
<230 User logged in, proceed.
******************************************************
At this point, you can log in with the username test, password test, and find that you have become superuser, there is no need to say anything, you already have the power of the system, and intruders can do whatever they want on your computer.
Vulnerability Solution: Upgrade to the latest version as soon as possible because this local elevation privilege vulnerability is a software design issue and is not an exception to the program.
Security countermeasures
Serv-u security Hidden Trouble, then how to prevent invasion? The author takes Windows 2003 SP1 system, NTFS partition as an example, in order to ensure the system to install the latest patches, to the system security deployment. Install the latest version of Serv-u on a non-system partition, which provides an environment for attackers to execute an attack program when acquiring Webshell, because some directories of the system disk are given everyone permissions by default. The installation process is simple, notice whether it is necessary to set up anonymous logins during installation, or disable anonymous logons.
1. System Permissions Settings
First step: Set permissions on the Serv-u directory. Clean up the user group, leave administrators and system, we give the administrator permissions, of course, we can also create a new user group to SERV-U operations, the directory to give the user full control of the ability to However, this method is not suitable for daily adding and deleting user actions by virtual hosts.
Step Two: Create an FTP user directory that gives administrators full control and system read-only access.
Step three: Create a separate directory for each user and give the following security policy:
Remove Everyone group (especially critical here)
The System account ' s folder ' is fully controlled
Add to full access control for users with this directory
Fourth step: Set the user right through Serv-u, Cancel "execute" permission. Remove execution permissions from the Web directory to prevent Webshell from running an attack program to attack Serv-u. In the permission settings, please follow the basic rules: have special attributes of the front, the common attributes of the back!
In addition, the Serv-u plug-in implementation of the account hidden attack mode only if the directory permissions are set improperly and the intruder to obtain Webshell file replacement, hook DLL. As long as the right to set reasonable, regular serv-u directory inspection, Serv-u installed after the file is not much, such attacks are easily visible.
2. Prevent large-volume file attacks
After installing the FTP software, you first need to add your own domain, and then add FTP on the domain login users, when adding users, the software generally does not have to add users to upload files, download the rate of settings, so there is a hidden danger of attack, That is, hackers will use this vulnerability to the FTP software to send a large volume of files, and then cause the FTP processing can not be caused by the program does not respond or automatically shut down.
You can see the "Maximum upload speed, maximum download speed (kb/seconds)" option in the general. We generally do not fill out the default, we recommend that users set a specific number to limit this speed. Also, it is a good idea to set a specific value on the option "Idle timeout, task timeout, maximum number of users". Generally, the default of 10 minutes is sufficient (see Figure 2).
3. Overflow prevention
Recently found no software caused by the buffer overflow vulnerability, but advised users to pay attention to security news, pay attention to the patch, the new version also resolved the bug, the best way is to upgrade, so as not to cause unnecessary losses. Of course, this is a very passive way, I hope the majority of friends to a little more understanding of security, a little more meticulous, a little more protection, there will be less loss.
4. Port Password Settings
Because the author uses the serv-u6.0.0.2 version, solid can in Servudaemon.ini add localsetupportno=12345 to change the local management port, do not have to change ServUDaemon.exe. After modification we will use IPSec to restrict IP access to port 12345. In the new version serv-u6.0.0.2 has provided the ability to modify the local password, in its main interface to the right, we can change the set local server password, so that we need to enter a password to be local management, the default is #l@ $ak #.lk;0@p is empty, It can be managed without the need for a password. When we set and change the password, leave the old password blank, and then set your local admin password. When the settings are complete, a section such as localsetuppassword=eq8bd223881747 Db4fcc458fc5ee3774d6 is added to the Servudaemon.ini (see Figure 3).
5. Transport Security
Since Serv-u does not turn on SSL, FTP transmission transmits data in plaintext, which is easily captured by sniffer tools in a routing or switching environment, such as powerful sniffer Pro, NetXRay, smaller arpsniffer, Dsniffer can be caught, Using this method to attack, many security sites have been infiltrated is not a new topic. So let's take a look at how to enable Serv-u SSL functionality.
The first step: Create a new SSL server certificate for Serv-u, start the Serv-u administrator, serv-u provide us with a certificate by default, but all the default installed SSL certificate private keys are the same. For the sake of safety, we need to re-establish a very simply, open the Serv-u "local server" option, on the right side of the admin interface, open "SSL Certificate", and then fill in "Common Name (FTP server IP address)", "E-mail" and other related information (see Figure 4), point "application" The button will overwrite the certificate SERVUCERT.CRT provided by the original serv-u in the Serv-u directory.
The second step: first use we should be certified to the certificate, install it in the trusted zone, click "Install Certificate", go to the next "Certificate Import Wizard", select the default storage area, click "Next" or select the storage area, complete, and then eject the security warning (because it is not installed from the certification authority) , here regardless of it, click "Yes", the certificate installation, the success will pop up "Certificate Import Success" dialog box, OK, we again open Servucert.crt,ok, the certificate has been trusted, this facilitates the FTP client to log on when not pop-up "trust" annoying prompt box, Next we'll set up Serv-u to provide SSL support (see Figure 5).
Step three: Open the SERV-U server below the domain, such as www.xhacker.cn, in the right appears in the "Security" drop-down box, there are three options, the default is "only rules FTP, no SSL/TLS session", since we want to the FTP server for SSL support, We chose the following "Allow only SSL/TSL session", also can choose "to allow the rule FTP,SSL/TSL session" as needed, after the application, the SERV-U server already has the SSL transmission encryption transmission effect.
For security reasons, only SSL connections are also enabled for FTP clients. Take FLASHFXP for example, first in the FLASHFXP Quick Connect window, select SSL, and then under Secure Sockets, select Authenticated SSL. So we can connect using SSL, after the connection is successful, we will see a small lock logo under the status bar of FlashFXP, indicating that a successful SSL secure connection has been made. Now you can sniff the FTP port using sniffer tools, when not using SSL transmission connection, you can sniff the plaintext password, through the use of SSL encrypted transmission connection, escaped the clear text transmission was sniffing this robbery.
Now serv-u FTP server in the domestic application is quite extensive, small to the individual, large to the group, as long as the bug found that the attack code for the vulnerability spread up, will give a lot of enterprises and individual users bring great disaster. In this respect, we can only ensure the safe deployment of the system, the security sector to pay attention to the eyes, always pay attention to the latest loopholes, do a good job of preventive measures to find loopholes, timely patching to the system, to ensure that serv-u not be invaded.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
