Debian Bug report logs - #419255
proftpd allows logins with almost no password if configured with SQLAuthTypes Plaintext

version graph

Package: proftpd-mysql; Maintainer for proftpd-mysql is (unknown);

Reported by: Evgeni Golov <sargentd@die-welt.net>

Date: Sat, 14 Apr 2007 16:30:05 UTC

Severity: grave

Tags: security

Found in version proftpd-dfsg/1.3.0-19

Fixed in version proftpd-dfsg/1.3.0-22

Done: Francesco Paolo Lovergine <frankie@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#419255; Package proftpd-mysql. Full text and rfc822 format available.

Acknowledgement sent to Evgeni Golov <sargentd@die-welt.net>:
New Bug report received and forwarded. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Evgeni Golov <sargentd@die-welt.net>
To: submit@bugs.debian.org
Subject: proftpd allows logins with almost no password if configured with SQLAuthTypes Plaintext
Date: Sat, 14 Apr 2007 18:29:06 +0200
[Message part 1 (text/plain, inline)]
Package: proftpd-mysql
Version: 1.3.0-19
Severity: grave

This is not really mysql related, but should apply to all proftpd sql
packages. I have the following configuration in my proftpd.conf:

SQLAuthTypes Crypt Plaintext
SQLAuthenticate users* groups*
SQLConnectInfo syscp@localhost syscp MYSQL_PASSWORD
SQLUserInfo ftp_users username password uid gid homedir shell
SQLGroupInfo ftp_groups groupname gid members
SQLUserWhereClause "login_enabled = 'y'"

One should think, a user who is defined in ftp_users should be able to
login with his password (which can be encrypted or not) and a
system-user should also be able to login. The first is perfectly true,
so is the second, BUT: a system-user is also able to login with ! or *
as password. ! or * in /etc/shadow indicates a bad password, so the
user shouldn't be able to login (this is done for the users www-data,
ftp, postfix, etc...) but proftpd seems to ignore that, if SQLAuthTypes
Plaintext is set and allows the user to login with ! or * as password
(whatever is set in /etc/shadow).

IMHO this is a grave security bug, because if someone enables plaintext
for SQL anyone can login with (guessable) system-accounts and do some
sh** :(

--
   ^^^    | Evgeni -SargentD- Golov (sargentd@die-welt.net)
 d(O_o)b  | GPG/PGP-Key-ID: 0xAC15B50C
  >-|-<   | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
   / \    | http://www.die-welt.net - sargentd@jabber.die-welt.net

If you had a chance, right now, to go back in time and stop Hitler,
wouldn't you do it? I mean, I personally wouldn't stop him, because I
think he was awesome, but you would right? (Eric Cartman, Make Love,
not Warcraft)
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#419255; Package proftpd-mysql. Full text and rfc822 format available.

Acknowledgement sent to "Francesco P. Lovergine" <frankie@debian.org>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #10 received at 419255@bugs.debian.org (full text, mbox):

From: "Francesco P. Lovergine" <frankie@debian.org>
To: Evgeni Golov <sargentd@die-welt.net>, 419255@bugs.debian.org
Subject: Re: Bug#419255: proftpd allows logins with almost no password if configured with SQLAuthTypes Plaintext
Date: Sat, 14 Apr 2007 19:53:14 +0200
On Sat, Apr 14, 2007 at 06:29:06PM +0200, Evgeni Golov wrote:
> Package: proftpd-mysql
> Version: 1.3.0-19
> Severity: grave
> 
> This is not really mysql related, but should apply to all proftpd sql
> packages. I have the following configuration in my proftpd.conf:
> 
> SQLAuthTypes Crypt Plaintext
> SQLAuthenticate users* groups*
> SQLConnectInfo syscp@localhost syscp MYSQL_PASSWORD
> SQLUserInfo ftp_users username password uid gid homedir shell
> SQLGroupInfo ftp_groups groupname gid members
> SQLUserWhereClause "login_enabled = 'y'"
> 
> One should think, a user who is defined in ftp_users should be able to
> login with his password (which can be encrypted or not) and a
> system-user should also be able to login. The first is perfectly true,
> so is the second, BUT: a system-user is also able to login with ! or *
> as password. ! or * in /etc/shadow indicates a bad password, so the
> user shouldn't be able to login (this is done for the users www-data,
> ftp, postfix, etc...) but proftpd seems to ignore that, if SQLAuthTypes
> Plaintext is set and allows the user to login with ! or * as password
> (whatever is set in /etc/shadow).
> 

Of course that partially depends on your authoritative information choice. 
If you added (disabled) system users to sql user table, that would not happen. 
The same if you 

- used the mod_sql as the only authoritative one
- added system users to ftpusers etc
- the system user shells are not listed /etc/shells and RequireValidShell is on

Anyway as a maintainer I agree that the rule of least surprise should
be apply.

> IMHO this is a grave security bug, because if someone enables plaintext
> for SQL anyone can login with (guessable) system-accounts and do some
> sh** :(
> 

PS:
Please enclose your complete proftpd.conf, sql and syslogs, and what
ever useful for tracking in any report. 




-- 
Francesco P. Lovergine



Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#419255; Package proftpd-mysql. Full text and rfc822 format available.

Acknowledgement sent to Evgeni Golov <sargentd@die-welt.net>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #15 received at 419255@bugs.debian.org (full text, mbox):

From: Evgeni Golov <sargentd@die-welt.net>
To: "Francesco P. Lovergine" <frankie@debian.org>
Cc: 419255@bugs.debian.org
Subject: Re: Bug#419255: proftpd allows logins with almost no password if configured with SQLAuthTypes Plaintext
Date: Sat, 14 Apr 2007 20:31:13 +0200
[Message part 1 (text/plain, inline)]
On Sat, 14 Apr 2007 19:53:14 +0200 Francesco P. Lovergine wrote:

> Of course that partially depends on your authoritative information
> choice. If you added (disabled) system users to sql user table, that
> would not happen.

Yepp, but why should I? They have disabled passwords, that should be
enough.

> The same if you
>
> - used the mod_sql as the only authoritative one

Maybe I need to login with some regular system-user? (I actually don't,
but this is an argument contra mod_sql only)

> - added system users to ftpusers etc

Uhm, mass-bug-filling against all packages which add users but don't
list them in ftpusers? ;-)

> - the system user shells are not listed /etc/shells and
> RequireValidShell is on

Also not really a solution, you know ;-)

> Anyway as a maintainer I agree that the rule of least surprise should
> be apply.

I think the rule should be: don't apply settings of modA to modB and
be secure ;).
I bet it is not unusual to have a mixed environment of
system and virtual users who should be able to login without opening a
big fat door for the kiddies out there if you don't double and tripple
check the logins.

> PS:
> Please enclose your complete proftpd.conf, sql and syslogs, and what
> ever useful for tracking in any report.

You can find the conf here:
http://dragonheart.ath.cx/~zhenech/syscp/proftpd.etch
SQL is empty and syslogs do not show anything interesting.

Some more information: the bug is also present in Sarges proftpd, so
seems kinda old :(
Hope you or upstream can fix it, even if it affects only "non-standard"
installs (you have to enable Plaintext :))

Regards
Evgeni

--
   ^^^    | Evgeni -SargentD- Golov (sargentd@die-welt.net)
 d(O_o)b  | GPG/PGP-Key-ID: 0xAC15B50C
  >-|-<   | 0C04 F872 0963 ADC9 AA83 882B 24A0 1418 AC15 B50C
   / \    | http://www.die-welt.net - sargentd@jabber.die-welt.net

lebt unser alter webserver noch, webserver noch, webserver noch... -
jaaaaa, er pingt noch, er pingt noch, er pingt noch (jesse @
teranetworks.de)
[Message part 2 (application/pgp-signature, inline)]

Tags added: security Request was from "Francesco P. Lovergine" <frankie@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2007 18:33:02 GMT) Full text and rfc822 format available.

Tags removed: security Request was from "Francesco P. Lovergine" <frankie@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2007 18:33:04 GMT) Full text and rfc822 format available.

Tags added: security Request was from "Francesco P. Lovergine" <frankie@debian.org> to control@bugs.debian.org. (Sat, 14 Apr 2007 18:57:22 GMT) Full text and rfc822 format available.

Reply sent to Francesco Paolo Lovergine <frankie@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Evgeni Golov <sargentd@die-welt.net>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #26 received at 419255-close@bugs.debian.org (full text, mbox):

From: Francesco Paolo Lovergine <frankie@debian.org>
To: 419255-close@bugs.debian.org
Subject: Bug#419255: fixed in proftpd-dfsg 1.3.0-22
Date: Tue, 17 Apr 2007 22:02:05 +0000
Source: proftpd-dfsg
Source-Version: 1.3.0-22

We believe that the bug you reported is fixed in the latest version of
proftpd-dfsg, which is due to be installed in the Debian FTP archive:

proftpd-dfsg_1.3.0-22.diff.gz
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-22.diff.gz
proftpd-dfsg_1.3.0-22.dsc
  to pool/main/p/proftpd-dfsg/proftpd-dfsg_1.3.0-22.dsc
proftpd-doc_1.3.0-22_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-doc_1.3.0-22_all.deb
proftpd-ldap_1.3.0-22_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-ldap_1.3.0-22_all.deb
proftpd-mysql_1.3.0-22_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-mysql_1.3.0-22_all.deb
proftpd-pgsql_1.3.0-22_all.deb
  to pool/main/p/proftpd-dfsg/proftpd-pgsql_1.3.0-22_all.deb
proftpd_1.3.0-22_i386.deb
  to pool/main/p/proftpd-dfsg/proftpd_1.3.0-22_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 419255@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Francesco Paolo Lovergine <frankie@debian.org> (supplier of updated proftpd-dfsg package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 17 Apr 2007 10:48:43 +0200
Source: proftpd-dfsg
Binary: proftpd proftpd-mysql proftpd-pgsql proftpd-ldap proftpd-doc
Architecture: source all i386
Version: 1.3.0-22
Distribution: unstable
Urgency: high
Maintainer: Francesco Paolo Lovergine <frankie@debian.org>
Changed-By: Francesco Paolo Lovergine <frankie@debian.org>
Description: 
 proftpd    - Versatile, virtual-hosting FTP daemon
 proftpd-doc - Versatile, virtual-hosting FTP daemon (Documentation)
 proftpd-ldap - Versatile, virtual-hosting FTP daemon
 proftpd-mysql - Versatile, virtual-hosting FTP daemon
 proftpd-pgsql - Versatile, virtual-hosting FTP daemon
Closes: 419255
Changes: 
 proftpd-dfsg (1.3.0-22) unstable; urgency=high
 .
   * Added update-inetd dependency.
   * Security: added a auth_cache patch to manage stacked auth scheme which can manage to
     introduce unexpected behaviors in some corner cases.
     See http://bugs.proftpd.org/show_bug.cgi?id=2922
     (closes: #419255)
   * Added a auth_loop patch to avoid endless loop in auth modules.
Files: 
 7cf5d0c166a54e8cb9d7169d526078e7 940 net optional proftpd-dfsg_1.3.0-22.dsc
 4435bb21406f561b94ffa99e192020d2 197550 net optional proftpd-dfsg_1.3.0-22.diff.gz
 1a691c0d44678387945400fde82ad58b 799728 net optional proftpd_1.3.0-22_i386.deb
 f295bce974ab57726e7fab19c0f7c5a9 493646 doc optional proftpd-doc_1.3.0-22_all.deb
 326249d8c9722add4e74b6e7b929f59b 162964 net optional proftpd-mysql_1.3.0-22_all.deb
 379695a4501c132334058188263da135 162968 net optional proftpd-pgsql_1.3.0-22_all.deb
 9ba78ccf76f98b49a29821612d7a00f1 162958 net optional proftpd-ldap_1.3.0-22_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGJUEQpFNRmenyx0cRAsDdAKCoZADZv0xNUtZ9oWfAXcYntxWmIwCdHOmA
jY5TvHJRzWoTNGGVgBUZKxo=
=AIRy
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Francesco Paolo Lovergine <frankie@debian.org>:
Bug#419255; Package proftpd-mysql. Full text and rfc822 format available.

Acknowledgement sent to Matus UHLAR - fantomas <uhlar@fantomas.sk>:
Extra info received and forwarded to list. Copy sent to Francesco Paolo Lovergine <frankie@debian.org>. Full text and rfc822 format available.

Message #31 received at 419255@bugs.debian.org (full text, mbox):

From: Matus UHLAR - fantomas <uhlar@fantomas.sk>
To: proftp-devel@lists.sourceforge.net
Cc: 419255@bugs.debian.org
Subject: Re: [Proftpd-devel] An anomaly in auth layer management?
Date: Thu, 26 Apr 2007 15:48:30 +0200
On 16.04.07 13:27, Francesco P. Lovergine wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=419255
> 
> After a few checks I established that apparently the
> SQLAuthType pushes a plain-text authentication which
> is also used by the successive mod_auth_unix layer, instead
> of a crypted one (which should be the default). 
> In order to replicate, it suffices to use a system account like 
> 'proftpd' or 'www-data' and use a password like '!' (at least on
> Debian) I suspect the same for other platforms too, with a bit
> different modalities.

AFAIK, using "!" or "*" for "encrypted" passwords is just and only a
convention for indicating of disabled/locked accounts. The real meaning is,
that crypt() function will never produce any of those passwords, so there is
no password you can encrypt to get "!" or "*".

if you use "!" or "*" as plaintext passwords, OF COURSE you can log in using
"!" or "*".

So, the problem comes out of misunderstanding in using "special" passwords
and using plaintext passwords where encrypted passwords should be used.

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers. 



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 23:37:00 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 18:16:13 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.