View Single Post
Old 07-25-2005, 03:54 AM  
Too much time...
Join Date: May 2003
Posts: 1,326

Originally Posted by ADDiCT
- i've seen quite a few remote exploits that will either crash the server or allow an attacker to run code, ioFTPD never had any known exploit
Just to be picky, I wouldn't consider this a valid point.

Serv-U has a substantially larger user base and is quite well known (obviously , I hope I haven’t lost your attention already). Greater product exposure tends to yield a larger exploit turn over. ioFTPD has had plenty of possible exploits, but no one took the opportunity to write a proof-of-concept and publish it (to my knowledge anyway). More than likely because ioFTPD is still a beta product and people with the expertise have never heard of ioFTPD. (Count the number of times that buffer/stack overflow is mentioned in ioFTPD's change-log, though this does not mean all were exploitable.) Nevertheless, we are all beta testers, testing an unfinished product, so it is something we have come to accept.

One thing Serv-U does have is a steady release cycle and quick response to published exploits. Which I’m sure will change once ioFTPD reaches a final state. There are several possible exploitable situations in the current version of ioFTPD (Beta-5.8.5). However, there are reasonable workarounds.

- Ability to crash the daemon remotely by using the ‘SITE CHOWN user:group’ command without the directory argument. By default, this command is only available to administrators, so its threat is minimal. To workaround this issue, the command can be completely restricted so users are unable to access it (chown = !*).

- A specially crafted .ioFTPD file *could* be and dropped in the site directory to achieve local privilege escalation (assuming ioFTPD is running as a privileged user). This could only occur locally, since ioFTPD forbids the uploading of .ioFTPD files. To workaround this issue, run ioFTPD as a unprivileged user and restrict access to your "ioFTPD\site" directory (or similar).

Just my two cents.
neoxed is offline   Reply With Quote