Vulnerability: vsftpd_234_backdoor rewrite

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/files/Makefile

@@ -0,0 +1,45 @@
+# Makefile for systems with GNU tools
+CC 	=	gcc
+INSTALL	=	install
+IFLAGS  = -idirafter dummyinc
+#CFLAGS = -g
+CFLAGS	=	-O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
+
+LIBS	=	`./vsf_findlibs.sh` -lcrypt -lpam
+LINK	=	-Wl,-s
+
+OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
+		tunables.o ftpdataio.o secbuf.o ls.o \
+		postprivparent.o logging.o str.o netstr.o sysstr.o strlist.o \
+    banner.o filestr.o parseconf.o secutil.o \
+    ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o \
+    tcpwrap.o ipaddrparse.o access.o features.o readwrite.o opts.o \
+    ssl.o sslslave.o ptracesandbox.o ftppolicy.o sysutil.o sysdeputil.o
+
+
+.c.o:
+	$(CC) -c $*.c $(CFLAGS) $(IFLAGS)
+
+vsftpd: $(OBJS) 
+	$(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
+
+install:
+	if [ -x /usr/local/sbin ]; then \
+		$(INSTALL) -m 755 vsftpd /usr/local/sbin/vsftpd; \
+	else \
+		$(INSTALL) -m 755 vsftpd /usr/sbin/vsftpd; fi
+	if [ -x /usr/local/man ]; then \
+		$(INSTALL) -m 644 vsftpd.8 /usr/local/man/man8/vsftpd.8; \
+		$(INSTALL) -m 644 vsftpd.conf.5 /usr/local/man/man5/vsftpd.conf.5; \
+	elif [ -x /usr/share/man ]; then \
+		$(INSTALL) -m 644 vsftpd.8 /usr/share/man/man8/vsftpd.8; \
+		$(INSTALL) -m 644 vsftpd.conf.5 /usr/share/man/man5/vsftpd.conf.5; \
+	else \
+		$(INSTALL) -m 644 vsftpd.8 /usr/man/man8/vsftpd.8; \
+		$(INSTALL) -m 644 vsftpd.conf.5 /usr/man/man5/vsftpd.conf.5; fi
+	if [ -x /etc/xinetd.d ]; then \
+		$(INSTALL) -m 644 xinetd.d/vsftpd /etc/xinetd.d/vsftpd; fi
+
+clean:
+	rm -f *.o *.swp vsftpd
+

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/files/copyvsftpd.sh

@@ -1,13 +0,0 @@
-#!/bin/sh
-sudo mkdir -p /usr/share/empty/	
-
-sudo mkdir -p /var/ftp/
-
-sudo chown root.root /var/ftp
-sudo chmod og-w /var/ftp
-
-sudo cp vsftpd /usr/local/sbin/vsftpd
-sudo cp vsftpd.conf.5 /usr/local/man/man5
-sudo cp vsftpd.8 /usr/local/man/man8
-
-sudo cp vsftpd.conf /etc

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/files/startvsftpd.sh

@@ -1,3 +0,0 @@
-#!/bin/sh
-sudo /usr/local/sbin/vsftpd &
-

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/files/vsftpd.conf

@@ -0,0 +1,115 @@
+# Example config file /etc/vsftpd.conf
+#
+# The default compiled in settings are fairly paranoid. This sample file
+# loosens things up a bit, to make the ftp daemon more usable.
+# Please see vsftpd.conf.5 for all compiled in defaults.
+#
+# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
+# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
+# capabilities.
+#
+# Allow anonymous FTP? (Beware - allowed by default if you comment this out).
+anonymous_enable=NO
+#
+ftp_username=ftp
+# Uncomment this to allow local users to log in.
+local_enable=YES
+#
+# Uncomment this to enable any form of FTP write command.
+#write_enable=YES
+#
+# Default umask for local users is 077. You may wish to change this to 022,
+# if your users expect that (022 is used by most other ftpd's)
+#local_umask=022
+#
+# Uncomment this to allow the anonymous FTP user to upload files. This only
+# has an effect if the above global write enable is activated. Also, you will
+# obviously need to create a directory writable by the FTP user.
+#anon_upload_enable=YES
+#
+# Uncomment this if you want the anonymous FTP user to be able to create
+# new directories.
+#anon_mkdir_write_enable=YES
+#
+# Activate directory messages - messages given to remote users when they
+# go into a certain directory.
+dirmessage_enable=YES
+#
+# Activate logging of uploads/downloads.
+xferlog_enable=YES
+#
+# Make sure PORT transfer connections originate from port 20 (ftp-data).
+connect_from_port_20=YES
+#
+# If you want, you can arrange for uploaded anonymous files to be owned by
+# a different user. Note! Using "root" for uploaded files is not
+# recommended!
+#chown_uploads=YES
+#chown_username=whoever
+#
+# You may override where the log file goes if you like. The default is shown
+# below.
+#xferlog_file=/var/log/vsftpd.log
+#
+# If you want, you can have your log file in standard ftpd xferlog format.
+# Note that the default log file location is /var/log/xferlog in this case.
+#xferlog_std_format=YES
+#
+# You may change the default value for timing out an idle session.
+#idle_session_timeout=600
+#
+# You may change the default value for timing out a data connection.
+#data_connection_timeout=120
+#
+# It is recommended that you define on your system a unique user which the
+# ftp server can use as a totally isolated and unprivileged user.
+#nopriv_user=ftpsecure
+#
+# Enable this and the server will recognise asynchronous ABOR requests. Not
+# recommended for security (the code is non-trivial). Not enabling it,
+# however, may confuse older FTP clients.
+#async_abor_enable=YES
+#
+# By default the server will pretend to allow ASCII mode but in fact ignore
+# the request. Turn on the below options to have the server actually do ASCII
+# mangling on files when in ASCII mode.
+# Beware that on some FTP servers, ASCII support allows a denial of service
+# attack (DoS) via the command "SIZE /big/file" in ASCII mode. vsftpd
+# predicted this attack and has always been safe, reporting the size of the
+# raw file.
+# ASCII mangling is a horrible feature of the protocol.
+#ascii_upload_enable=YES
+#ascii_download_enable=YES
+#
+# You may fully customise the login banner string:
+#ftpd_banner=Welcome to blah FTP service.
+#
+# You may specify a file of disallowed anonymous e-mail addresses. Apparently
+# useful for combatting certain DoS attacks.
+#deny_email_enable=YES
+# (default follows)
+#banned_email_file=/etc/vsftpd.banned_emails
+#
+# You may specify an explicit list of local users to chroot() to their home
+# directory. If chroot_local_user is YES, then this list becomes a list of
+# users to NOT chroot().
+#chroot_local_user=YES
+#chroot_list_enable=YES
+# (default follows)
+#chroot_list_file=/etc/vsftpd.chroot_list
+#
+# You may activate the "-R" option to the builtin ls. This is disabled by
+# default to avoid remote users being able to cause excessive I/O on large
+# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
+# the presence of the "-R" option, so there is a strong case for enabling it.
+#ls_recurse_enable=YES
+#
+# When "listen" directive is enabled, vsftpd runs in standalone mode and
+# listens on IPv4 sockets. This directive cannot be used in conjunction
+# with the listen_ipv6 directive.
+listen=YES
+#
+# This directive enables listening on IPv6 sockets. To listen on IPv4 and IPv6
+# sockets, you must run two copies of vsftpd with two configuration files.
+# Make sure, that one of the listen options is commented !!
+#listen_ipv6=YES

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/files/vsftpd_init.d

@@ -0,0 +1,116 @@
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides:		vsftpd
+# Required-Start:	$remote_fs $syslog
+# Required-Stop:	$remote_fs $syslog
+# Default-Start:	2 3 4 5
+# Default-Stop:		1
+# Short-Description:	Very secure FTP server
+### END INIT INFO
+
+set -e
+
+DAEMON="/usr/local/sbin/vsftpd"
+NAME="vsftpd"
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin"
+LOGFILE="/var/log/vsftpd.log"
+CHROOT="/var/run/vsftpd/empty"
+
+test -x "${DAEMON}" || exit 0
+
+if [ ! -e "${LOGFILE}" ]
+then
+	touch "${LOGFILE}"
+	chmod 640 "${LOGFILE}"
+	chown root:adm "${LOGFILE}"
+fi
+
+if [ ! -d "${CHROOT}" ]
+then
+	mkdir -p "${CHROOT}"
+fi
+
+Check_standalone_mode ()
+{
+	# Return 1 if vsftpd.conf doesn't have listen=yes or listen_ipv6=yes
+	# (mandatory for standalone operation).
+
+	CONFFILE="/etc/vsftpd.conf"
+
+	if [ -e "${CONFFILE}" ] && ! egrep -iq "^ *listen(_ipv6)? *= *yes" "${CONFFILE}"
+	then
+		echo "${CONFFILE}: listen disabled - service will not start"
+		return 1
+	fi
+}
+
+case "${1}" in
+	start)
+		Check_standalone_mode || exit 0
+		echo -n "Starting FTP server: "
+
+		start-stop-daemon --start --background -m --oknodo --pidfile /var/run/vsftpd/vsftpd.pid --exec ${DAEMON}
+
+		echo "${NAME}."
+		;;
+
+	stop)
+		echo -n "Stopping FTP server: "
+
+		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --oknodo --exec ${DAEMON}
+		rm -f /var/run/vsftpd/vsftpd.pid
+
+		echo "${NAME}."
+
+		;;
+
+	restart)
+		echo -n "Stopping FTP server: "
+
+		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --oknodo --exec ${DAEMON}
+		rm -f /var/run/vsftpd/vsftpd.pid
+
+		echo "${NAME}."
+		Check_standalone_mode || exit 0
+		echo -n "Starting FTP server: "
+
+		start-stop-daemon --start --background -m --pidfile /var/run/vsftpd/vsftpd.pid --exec ${DAEMON}
+
+		echo "${NAME}."
+		;;
+
+	reload|force-reload)
+		echo "Reloading FTP server configuration: "
+
+		start-stop-daemon --stop --pidfile /var/run/vsftpd/vsftpd.pid --signal 1 --exec $DAEMON
+
+		echo "${NAME}."
+		;;
+
+	status)
+		PID="$(cat /var/run/vsftpd/vsftpd.pid 2>/dev/null)" || true
+
+		if [ ! -f /var/run/vsftpd/vsftpd.pid ] || [ -z "${PID}" ]
+		then
+			echo "${NAME} is not running"
+			exit 3
+		fi
+
+		if ps "${PID}" >/dev/null 2>&1
+		then
+			echo "${NAME} is running"
+			exit 0
+		else
+			echo "${NAME} is not running"
+			exit 1
+		fi
+		;;
+
+	*)
+		echo "Usage: /etc/init.d/${NAME} {start|stop|restart|reload|status}"
+		exit 1
+		;;
+esac
+
+exit 0

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/manifests/config.pp

@@ -0,0 +1,31 @@
+class vsftpd_234_backdoor::config {
+
+  # Config files + manuals
+  file { ['/usr/local/man/man5/vsftpd.conf.5']:
+    require => File['/usr/local/src/vsftpd-2.3.4/Makefile'],
+    ensure  => file,
+    source  => '/usr/local/src/vsftpd-2.3.4/vsftpd.conf.5'
+  }
+
+  file { ['/usr/local/man/man8/vsftpd.8']:
+    require => File['/usr/local/src/vsftpd-2.3.4/Makefile'],
+    ensure  => file,
+    source  => '/usr/local/src/vsftpd-2.3.4/vsftpd.8'
+  }
+
+  file { ['/etc/vsftpd.conf']:
+    require => File['/usr/local/src/vsftpd-2.3.4/Makefile'],
+    ensure  => file,
+    source  => 'puppet:///modules/vsftpd_234_backdoor/vsftpd.conf'
+  }
+
+  user { 'ftp':
+    ensure     => present,
+    uid        => '507',
+    gid        => 'root',
+    home       => '/var/ftp',
+    require     => Exec["make-install-vsftpd"],
+    managehome => true
+  }
+
+}

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/manifests/install.pp

@@ -1,69 +1,65 @@
-  #copies and unpacks vsftpd_234_backdoor saves it to usr/local/sbin and executes it for startup
 class vsftpd_234_backdoor::install {
 
-  # file { '/tmp/vsftpd-2.3.4':
-  #   path         => '/tmp/vsftpd-2.3.4',
-  #   ensure       => directory,
-  #   source       => 'puppet:///modules/vsftpd_234_backdoor',
-  #   recurse      => true,
-  #
-  # }
-  file { '/tmp/src':
+  # Install dependencies
+  package { ['libssl-dev' ,'libpam0g-dev']:
+    ensure => installed,
+  }
+
+  # Required directories
+  file { ['/usr/share/empty','/var/ftp','/usr/local/man/man5/', '/usr/local/man/man8/']:
     ensure => directory,
-    path => '/tmp/src',
-    source => 'puppet:///modules/vsftpd_234_backdoor',
-    recurse => 'true',
-    mode => '777'
+    owner  => root,
+    mode   => '0755'
   }
 
+  # Require tarball
+  file { '/usr/local/src/vsftpd-2.3.4.tar.gz':
+    ensure => file,
+    source => 'puppet:///modules/vsftpd_234_backdoor/vsftpd-2.3.4.tar.gz',
+  }
+
+  # Unpack tar
   exec { 'unzip-vsftpd':
-    command     => 'tar -xzf /tmp/src/vsftpd-2.3.4.tar.gz',
-    path => '/bin',
-    cwd => '/tmp',
-    # creates     => "/home/vagrant/vsftpd-2.3.4/vsftpd",
-    # notify   => Exec['make-vsftpd']
+    require     => Package['libssl-dev' ,'libpam0g-dev'],
+    command     => '/bin/tar -xzf /usr/local/src/vsftpd-2.3.4.tar.gz',
+    cwd         => '/usr/local/src',
+    creates     => '/usr/local/src/vsftpd-2.3.4/',
   }
 
-  # TODO: FIXME this is broken
-  # exec { 'make-vsftpd':
-  #   command     => '/usr/bin/make',
-  #   cwd         => "/tmp/src/vsftpd-2.3.4",
-  #   creates     => "/tmp/src/vsftpd-2.3.4/vsftpd",
-  #   notify   => Exec['copy-vsftpd'],
-  #   require     => Exec["unzip-vsftpd"],
-  # }
-  #
-  # exec { 'copy-vsftpd':
-  #   command     => '/usr/bin/make install',
-  #   cwd         => "/tmp/src/vsftpd-2.3.4",
-  #   # creates     => "/usr/local/sbin/vsftpd",
-  #   notify   => User['ftp'],
-  #   require     => Exec["make-vsftpd"],
-  # }
-  #
-  # # exec { 'copy-vsftpd':
-  # #   command     => '/tmp/src/copyvsftpd.sh',
-  # #   cwd         => "/tmp/src/",
-  # #   creates     => "/usr/local/sbin/vsftpd",
-  # #   notify   => User['ftp'],
-  # #   require     => Exec["make-vsftpd"],
-  # # }
-  #
-  # user { 'ftp':
-  #   ensure     => present,
-  #   uid        => '507',
-  #   gid        => 'root',
-  #   shell      => '/bin/zsh',
-  #   home       => '/var/ftp',
-  #   notify   => Exec['start-vsftpd'],
-  #   require     => Exec["copy-vsftpd"],
-  #   managehome => true
-  # }
-  #
-  # exec { 'start-vsftpd':
-  #   command     => '/tmp/vsftpd-2.3.4/startvsftpd.sh',
-  #   require     => User["ftp"],
-  # }
+  # Use module Makefile
+  file { ['/usr/local/src/vsftpd-2.3.4/Makefile']:
+    require  => Exec['unzip-vsftpd'],
+    ensure   => file,
+    content  => file('vsftpd_234_backdoor/Makefile'),
+  }
+
+  # Make
+  exec { 'make-vsftpd':
+    require     => File['/etc/vsftpd.conf', '/usr/local/man/man5/vsftpd.conf.5', '/usr/local/man/man8/vsftpd.8'],
+    command     => '/usr/bin/make',
+    cwd         => '/usr/local/src/vsftpd-2.3.4'
+  }
+
+  # Make install
+  exec { 'make-install-vsftpd':
+    require     => Exec['make-vsftpd'],
+    command     => '/usr/bin/make install',
+    cwd         => '/usr/local/src/vsftpd-2.3.4'
+  }
+
+  file { ['/usr/local/sbin/vsftpd']:
+    require => Exec['make-install-vsftpd'],
+    ensure  => file,
+    source  => '/usr/local/src/vsftpd-2.3.4/vsftpd',
+  }
+
+  # init.d file
+  file { ['/etc/init.d/vsftpd']:
+    require => Exec['make-install-vsftpd'],
+    ensure  => file,
+    source  => 'puppet:///modules/vsftpd_234_backdoor/vsftpd_init.d',
+    mode   => '0755',
+  }
 }
 
 

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/manifests/service.pp

@@ -0,0 +1,7 @@
+class vsftpd_234_backdoor::service {
+  service { 'vsftpd':
+    ensure  => running,
+    enable  => true,
+    require => File['/etc/init.d/vsftpd'],
+  }
+}

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/secgen_metadata.xml

@@ -6,6 +6,7 @@
   <name>VSFTPD v2.3.4 Backdoor Command Execution</name>
   <author>Lewis Ardern</author>
   <author>Z. Cliffe Schreuders</author>
+  <author>Thomas Shaw</author>
   <module_license>MIT</module_license>
   <description>A backdoor was introduced into the vsftpd-2.3.4.tar.gz archive between
     June 30th 2011 and July 1st 2011. AKA the smiley face backdoor.</description>
@@ -37,4 +38,10 @@
   <conflict>
     <software_name>vsftpd</software_name>
   </conflict>
+
+  <!--Dependencies-->
+  <!--<dependency>-->
+    <!--<software_name>unix_update</software_name>-->
+  <!--</dependency>-->
+
 </vulnerability>

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/templates/Makefile.erb

@@ -0,0 +1,44 @@
+# Makefile for systems with GNU tools
+CC 	=	gcc
+INSTALL	=	install
+IFLAGS  = -idirafter dummyinc
+#CFLAGS = -g
+CFLAGS	=	-O2 -Wall -W -Wshadow #-pedantic -Werror -Wconversion
+
+LIBS	=	`./vsf_findlibs.sh` -lcrypt -lpam
+LINK	=	-Wl,-s
+
+OBJS	=	main.o utility.o prelogin.o ftpcmdio.o postlogin.o privsock.o \
+tunables.o ftpdataio.o secbuf.o ls.o \
+postprivparent.o logging.o str.o netstr.o sysstr.o strlist.o \
+banner.o filestr.o parseconf.o secutil.o \
+ascii.o oneprocess.o twoprocess.o privops.o standalone.o hash.o \
+tcpwrap.o ipaddrparse.o access.o features.o readwrite.o opts.o \
+ssl.o sslslave.o ptracesandbox.o ftppolicy.o sysutil.o sysdeputil.o
+
+
+.c.o:
+  $(CC) -c $*.c $(CFLAGS) $(IFLAGS)
+
+vsftpd: $(OBJS)
+  $(CC) -o vsftpd $(OBJS) $(LINK) $(LIBS) $(LDFLAGS)
+
+install:
+if [ -x /usr/local/sbin ]; then \
+  $(INSTALL) -m 755 vsftpd /usr/local/sbin/vsftpd; \
+else \
+  $(INSTALL) -m 755 vsftpd /usr/sbin/vsftpd; fi
+if [ -x /usr/local/man ]; then \
+  $(INSTALL) -m 644 vsftpd.8 /usr/local/man/man8/vsftpd.8; \
+  $(INSTALL) -m 644 vsftpd.conf.5 /usr/local/man/man5/vsftpd.conf.5; \
+elif [ -x /usr/share/man ]; then \
+  $(INSTALL) -m 644 vsftpd.8 /usr/share/man/man8/vsftpd.8; \
+  $(INSTALL) -m 644 vsftpd.conf.5 /usr/share/man/man5/vsftpd.conf.5; \
+else \
+  $(INSTALL) -m 644 vsftpd.8 /usr/man/man8/vsftpd.8; \
+  $(INSTALL) -m 644 vsftpd.conf.5 /usr/man/man5/vsftpd.conf.5; fi
+if [ -x /etc/xinetd.d ]; then \
+  $(INSTALL) -m 644 xinetd.d/vsftpd /etc/xinetd.d/vsftpd; fi
+
+clean:
+  rm -f *.o *.swp vsftpd

modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor/vsftpd_234_backdoor.pp

@@ -1 +1,3 @@
-include vsftpd_234_backdoor::install
+include vsftpd_234_backdoor::install
+include vsftpd_234_backdoor::config
+include vsftpd_234_backdoor::service

scenarios/simple_examples/vsftpd_backdoor_vulnerability.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>storage_server</system_name>
+    <base platform="linux"/>
+
+    <!--Requires a package manager repository update to install dependencies-->
+    <service platform="linux" type="update"/>
+
+    <vulnerability module_path="modules/vulnerabilities/unix/ftp/vsftpd_234_backdoor"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>