Merge pull request #35 from thomashaw/vulnerability_proftpd_133c_backdoor

Module now cleans up after itself. Merging.

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/files/proftpd.init.d

@@ -0,0 +1,223 @@
+#!/bin/sh 
+
+### BEGIN INIT INFO
+# Provides:          proftpd
+# Required-Start:    $remote_fs $syslog $local_fs $network
+# Required-Stop:     $remote_fs $syslog $local_fs $network
+# Should-Start:      $named
+# Should-Stop:       $named
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Starts ProFTPD daemon
+# Description:       This script runs the FTP service offered
+#                    by the ProFTPD daemon
+### END INIT INFO
+
+# Start the proftpd FTP daemon.
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+DAEMON=/usr/local/sbin/proftpd
+NAME=proftpd
+
+# Defaults
+RUN="no"
+OPTIONS=""
+CONFIG_FILE=/etc/proftpd/proftpd.conf
+
+PIDFILE=`grep -i 'pidfile' $CONFIG_FILE|sed -e 's/pidfile[\t ]\+//i'`
+if [ "x$PIDFILE" = "x" ];
+then
+	PIDFILE=/var/run/proftpd.pid
+fi
+
+# Read config (will override defaults)
+[ -r /etc/default/proftpd ] && . /etc/default/proftpd
+
+trap "" 1
+trap "" 15
+
+test -f $DAEMON || exit 0
+
+. /lib/lsb/init-functions
+
+#
+# Servertype could be inetd|standalone|none.
+# In all cases check against inetd and xinetd support.
+#
+if ! egrep -qi "^[[:space:]]*ServerType.*standalone" $CONFIG_FILE
+then
+	if egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.conf 2>/dev/null || \
+	   egrep -qi "server[[:space:]]*=[[:space:]]*/usr/sbin/proftpd" /etc/xinetd.d/* 2>/dev/null || \
+       egrep -qi "^ftp.*/usr/sbin/proftpd" /etc/inetd.conf 2>/dev/null
+	then
+    		RUN="no"
+    		INETD="yes"
+	else
+		if ! egrep -qi "^[[:space:]]*ServerType.*inetd" $CONFIG_FILE
+		then
+    		RUN="yes"
+			INETD="no"
+		else
+			RUN="no"
+			INETD="no"
+		fi
+	fi
+fi
+
+# /var/run could be on a tmpfs
+
+[ ! -d /var/run/proftpd ] && mkdir /var/run/proftpd
+
+inetd_check()
+{
+	if [ ! -x /usr/sbin/inetd -a ! -x /usr/sbin/xinetd ]; then
+		echo "Neither inetd nor xinetd appears installed: check your configuration."
+	fi
+}
+
+start()
+{
+    log_daemon_msg "Starting ftp server" "$NAME"
+
+    start-stop-daemon --start --quiet --pidfile "$PIDFILE" --oknodo --exec $DAEMON -- -c $CONFIG_FILE $OPTIONS  
+    if [ $? != 0 ]; then
+        log_end_msg 1
+        exit 1
+    else
+        log_end_msg 0
+    fi
+}
+
+signal()
+{
+
+    if [ "$1" = "stop" ]; then
+		SIGNAL="TERM"
+    	log_daemon_msg "Stopping ftp server" "$NAME"
+    else
+	if [ "$1" = "reload" ]; then
+	    SIGNAL="HUP"
+    	log_daemon_msg "Reloading ftp server" "$NAME"
+	else
+	    echo "ERR: wrong parameter given to signal()"
+	    exit 1
+	fi
+    fi
+    if [ -f "$PIDFILE" ]; then
+    	start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+   	 if [ $? = 0 ]; then
+        	log_end_msg 0
+    	else
+		SIGNAL="KILL"
+		start-stop-daemon --stop --signal $SIGNAL --quiet --pidfile "$PIDFILE"
+    		if [ $? != 0 ]; then
+        		log_end_msg 1
+        		[ $2 != 0 ] || exit 0
+    		else
+        		log_end_msg 0
+    		fi
+    	fi
+   	if [ "$SIGNAL" = "KILL" ]; then
+		rm -f "$PIDFILE"
+    	fi
+    else
+        log_end_msg 0
+    fi
+}
+
+case "$1" in
+    start)
+	if [ "x$RUN" = "xyes" ] ; then
+	    start
+	else
+	    start
+#	    if [ "x$INETD" = "xyes" ] ; then
+#		echo "ProFTPD is started from inetd/xinetd."
+#		inetd_check
+#	    else
+#	    	echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+#	    fi
+	fi
+	;;
+
+    force-start)
+	if [ "x$INETD" = "xyes" ] ; then
+	    echo "Warning: ProFTPD is started from inetd/xinetd (trying to start anyway)."
+		inetd_check
+	fi
+	start
+	;;	
+    
+    stop)
+	if [ "x$RUN" = "xyes" ] ; then
+	    signal stop 0
+	else
+	    if [ "x$INETD" = "xyes" ] ; then
+		echo "ProFTPD is started from inetd/xinetd."
+		inetd_check
+	    else 
+	    	echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+	    fi
+	fi
+	;;
+
+    force-stop)
+	if [ "x$INETD" = "xyes" ] ; then
+	    echo "Warning: ProFTPD is started from inetd/xinetd (trying to kill anyway)."
+		inetd_check
+	fi
+	signal stop 0
+	;;
+
+    reload)
+	signal reload 0
+	;;
+
+    force-reload|restart)
+	if [ "x$RUN" = "xyes" ] ; then
+	    signal stop 1
+	    sleep 2
+	    start
+	else
+	    if [ "x$INETD" = "xyes" ] ; then
+		echo "ProFTPD is started from inetd/xinetd."
+		inetd_check
+	    else 
+	    	echo "ProFTPD warning: cannot start neither in standalone nor in inetd/xinetd mode. Check your configuration."
+	    fi
+	fi
+	;;
+
+    status)
+	if [ "x$INETD" = "xyes" ] ; then
+	    echo "ProFTPD is started from inetd/xinetd."
+		inetd_check
+		exit 0
+	else 
+	    if [ -f "$PIDFILE" ]; then
+	    	pid=$(cat $PIDFILE)
+	    else
+	    	pid="x"
+	    fi
+	    if [ `pidof proftpd|grep "$pid"|wc -l` -ne 0 ] ; then
+	    	echo "ProFTPD is started in standalone mode, currently running."
+			exit 0
+	    else
+	    	echo "ProFTPD is started in standalone mode, currently not running."
+			exit 3
+	    fi
+	fi
+	;;
+
+    check-config)
+        $DAEMON -t >/dev/null && echo "ProFTPD configuration OK" && exit 0
+        exit 1
+        ;;
+
+    *)
+	echo "Usage: /etc/init.d/$NAME {start|status|force-start|stop|force-stop|reload|restart|force-reload|check-config}"
+	exit 1
+	;;
+esac
+
+exit 0

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/config.pp

@@ -0,0 +1,9 @@
+class proftpd_133c_backdoor::config {
+  file { '/etc/proftpd/proftpd.conf':
+    ensure   => present,
+    owner    => 'root',
+    group    => 'root',
+    mode     => '0644',
+    content  => template('proftpd_133c_backdoor/proftpd.erb')
+  }
+}

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/install.pp

@@ -0,0 +1,68 @@
+class proftpd_133c_backdoor::install {
+
+  # Install ProFTPd 1.3.3c backdoored version from source tar
+
+  file { '/usr/local/src/proftpd-1.3.3c.tar.gz':
+    owner  => root,
+    group  => root,
+    mode   => '0775',
+    ensure => file,
+    source => 'puppet:///modules/proftpd_133c_backdoor/proftpd-1.3.3c.tar.gz',
+    notify => Exec['unpack'],
+  }
+
+  exec { 'unpack':
+    cwd     => '/usr/local/src',
+    command => 'tar -xzvf proftpd-1.3.3c.tar.gz',
+    creates => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    path    => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ],
+    notify  => Exec['install_proftpd-1.3.3c'],
+  }
+
+  exec { 'install_proftpd-1.3.3c':
+    cwd     => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    command => '/usr/local/src/backdoored_proftpd-1.3.3c/configure', #--prefix=/usr/local/
+    notify  => Exec['make_proftpd-1.3.3c'],
+  }
+
+  exec { 'make_proftpd-1.3.3c':
+    require     => Exec['install_proftpd-1.3.3c'],
+    cwd         => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    command     => '/usr/bin/make',
+    notify      => Exec['make_install_proftpd-1.3.3c'],
+  }
+
+  exec { 'make_install_proftpd-1.3.3c':
+    require     => Exec['install_proftpd-1.3.3c'],
+    cwd         => '/usr/local/src/backdoored_proftpd-1.3.3c/',
+    command     => '/usr/bin/make install',
+    notify      => File['/etc/init.d/proftpd'],
+  }
+
+  # ProFTPd init.d service installation
+
+  file { '/etc/init.d/proftpd':
+    require => Exec['make_install_proftpd-1.3.3c'],
+    path    => '/etc/init.d/proftpd',
+    owner   => root,
+    group   => root,
+    mode    => '0755',
+    ensure  => file,
+    source  => 'puppet:///modules/proftpd_133c_backdoor/proftpd.init.d',
+  }
+
+  # Required log and config files/directories
+
+  file { ['/etc/proftpd', '/var/log/proftpd', '/var/log/proftpd/xferlog', '/etc/proftpd/conf.d/']:
+    ensure => directory,
+  }
+
+  file { [ '/etc/proftpd/modules.conf', '/var/log/proftpd/proftpd.log']:
+    ensure => file,
+  }
+
+  # Cleanup
+  exec { 'directory-cleanup':
+    command => '/bin/rm /usr/local/src/* -rf',
+  }
+}

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/manifests/service.pp

@@ -0,0 +1,7 @@
+class proftpd_133c_backdoor::service {
+  service { 'proftpd':
+    ensure  => running,
+    enable  => true,
+    require => File['/etc/init.d/proftpd','/etc/proftpd/proftpd.conf'],
+  }
+}

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/proftpd_133c_backdoor.pp

@@ -0,0 +1,3 @@
+include proftpd_133c_backdoor::install
+include proftpd_133c_backdoor::config
+include proftpd_133c_backdoor::service

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/secgen_metadata.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>ProFTPD v1.3.3c Backdoor Command Execution</name>
+  <author>Thomas Shaw</author>
+  <author>Jason Keighley</author>
+  <module_license>MIT</module_license>
+  <description>A backdoor was introduced into the proftpd-1.3.3c.tar.[bz2|gz] archive between November 28th and December
+    2nd 2010.
+  </description>
+
+  <type>ftp</type>
+  <privilege>user</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>low</difficulty>
+  <!--<cve></cve>-->
+  <cvss_base_score>10</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+  <reference>https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor</reference>
+  <software_name>proftpd</software_name>
+  <software_license>GPL</software_license>
+
+  <!--optional breadcrumb (info that is leaked and required to exploit)-->
+  <!--<breadcrumb></breadcrumb>-->
+
+  <!--optional hints-->
+  <!--<msf_module>exploits/unix/ftp/proftpd_133c_backdoor.rb</msf_module>-->
+  <hint>A backdoor in a service</hint>
+  <solution>Remotely exploitable backdoor in the FTP service</solution>
+
+  <!--Cannot co-exist with other installations-->
+  <conflict>
+    <software_name>proftpd</software_name>
+  </conflict>
+</vulnerability>

modules/vulnerabilities/unix/ftp/proftpd_133c_backdoor/templates/proftpd.erb

@@ -0,0 +1,189 @@
+#
+# /etc/proftpd/proftpd.conf -- This is a basic ProFTPD configuration file.
+# To really apply changes, reload proftpd after modifications, if
+# it runs in daemon mode. It is not required in inetd/xinetd mode.
+#
+
+# Includes DSO modules
+Include /etc/proftpd/modules.conf
+
+# Set off to disable IPv6 support which is annoying on IPv4 only boxes.
+UseIPv6				off
+# If set on you can experience a longer connection delay in many cases.
+IdentLookups			off
+
+ServerName			"Debian"
+ServerType			standalone
+DeferWelcome			off
+
+MultilineRFC2228		on
+DefaultServer			on
+ShowSymlinks			on
+
+TimeoutNoTransfer		600
+TimeoutStalled			600
+TimeoutIdle			1200
+
+DisplayLogin                    welcome.msg
+DisplayChdir               	.message true
+ListOptions                	"-l"
+
+DenyFilter			\*.*/
+
+# Use this to jail all users in their homes
+# DefaultRoot			~
+
+# Users require a valid shell listed in /etc/shells to login.
+# Use this directive to release that constrain.
+# RequireValidShell		off
+
+# Port 21 is the standard FTP port.
+Port				21
+
+# In some cases you have to specify passive ports range to by-pass
+# firewall limitations. Ephemeral ports can be used for that, but
+# feel free to use a more narrow range.
+# PassivePorts                  49152 65534
+
+# If your host was NATted, this option is useful in order to
+# allow passive tranfers to work. You have to use your public
+# address and opening the passive ports used on your firewall as well.
+# MasqueradeAddress		1.2.3.4
+
+# This is useful for masquerading address with dynamic IPs:
+# refresh any configured MasqueradeAddress directives every 8 hours
+<IfModule mod_dynmasq.c>
+  # DynMasqRefresh 28800
+</IfModule>
+
+# To prevent DoS attacks, set the maximum number of child processes
+# to 30.  If you need to allow more than 30 concurrent connections
+# at once, simply increase this value.  Note that this ONLY works
+# in standalone mode, in inetd mode you should use an inetd server
+# that allows you to limit maximum number of processes per service
+# (such as xinetd)
+MaxInstances			30
+
+# Set the user and group that the server normally runs at.
+User				root
+Group				nogroup
+
+# Umask 022 is a good standard umask to prevent new files and dirs
+# (second parm) from being group and world writable.
+Umask				022  022
+# Normally, we want files to be overwriteable.
+AllowOverwrite			on
+
+# Uncomment this if you are using NIS or LDAP via NSS to retrieve passwords:
+# PersistentPasswd		off
+
+# This is required to use both PAM-based authentication and local passwords
+# AuthOrder			mod_auth_pam.c* mod_auth_unix.c
+
+# Be warned: use of this directive impacts CPU average load!
+# Uncomment this if you like to see progress and transfer rate with ftpwho
+# in downloads. That is not needed for uploads rates.
+#
+# UseSendFile			off
+
+TransferLog /var/log/proftpd/xferlog
+SystemLog   /var/log/proftpd/proftpd.log
+
+# Logging onto /var/log/lastlog is enabled but set to off by default
+#UseLastlog on
+
+# In order to keep log file dates consistent after chroot, use timezone info
+# from /etc/localtime.  If this is not set, and proftpd is configured to
+# chroot (e.g. DefaultRoot or <!--<-->Anonymous<!-->-->), it will use the non-daylight
+  # savings timezone regardless of whether DST is in effect.
+  #SetEnv TZ :/etc/localtime
+
+  <IfModule mod_quotatab.c>
+    QuotaEngine off
+  </IfModule>
+
+  <IfModule mod_ratio.c>
+    Ratios off
+  </IfModule>
+
+
+  # Delay engine reduces impact of the so-called Timing Attack described in
+  # http://www.securityfocus.com/bid/11430/discuss
+  # It is on by default.
+  <IfModule mod_delay.c>
+    DelayEngine on
+  </IfModule>
+
+  <IfModule mod_ctrls.c>
+    ControlsEngine        off
+    ControlsMaxClients    2
+    ControlsLog           /var/log/proftpd/controls.log
+    ControlsInterval      5
+    ControlsSocket        /var/run/proftpd/proftpd.sock
+  </IfModule>
+
+  <IfModule mod_ctrls_admin.c>
+    AdminControlsEngine off
+  </IfModule>
+
+  #
+  # Alternative authentication frameworks
+  #
+  #Include /etc/proftpd/ldap.conf
+  #Include /etc/proftpd/sql.conf
+
+  #
+  # This is used for FTPS connections
+  #
+  #Include /etc/proftpd/tls.conf
+
+  #
+  # Useful to keep VirtualHost/VirtualRoot directives separated
+  #
+  #Include /etc/proftpd/virtuals.conf
+
+  # A basic anonymous configuration, no upload directories.
+
+  # <Anonymous ~ftp>
+  #   User				ftp
+  #   Group				nogroup
+  #   # We want clients to be able to login with "anonymous" as well as "ftp"
+  #   UserAlias			anonymous ftp
+  #   # Cosmetic changes, all files belongs to ftp user
+  #   DirFakeUser	on ftp
+  #   DirFakeGroup on ftp
+  #
+  #   RequireValidShell		off
+  #
+  #   # Limit the maximum number of anonymous logins
+  #   MaxClients			10
+  #
+  #   # We want 'welcome.msg' displayed at login, and '.message' displayed
+  #   # in each newly chdired directory.
+  #   DisplayLogin			welcome.msg
+  #   DisplayChdir		.message
+  #
+  #   # Limit WRITE everywhere in the anonymous chroot
+  #   <Directory *>
+  #     <Limit WRITE>
+  #       DenyAll
+  #     </Limit>
+  #   </Directory>
+  #
+  #   # Uncomment this if you're brave.
+  #   # <Directory incoming>
+  #   #   # Umask 022 is a good standard umask to prevent new files and dirs
+  #   #   # (second parm) from being group and world writable.
+  #   #   Umask				022  022
+  #   #            <Limit READ WRITE>
+  #   #            DenyAll
+  #   #            </Limit>
+  #   #            <Limit STOR>
+  #   #            AllowAll
+  #   #            </Limit>
+  #   # </Directory>
+  #
+  # </Anonymous>
+
+  # Include other custom configuration files
+  Include /etc/proftpd/conf.d/

scenarios/simple_examples/proftpd_133c_backdoor_vulnerability.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <!-- an example remote linux system with the ProFTPd 1.3.3c backdoor vulnerability -->
+  <system>
+    <system_name>file_server</system_name>
+    <base platform="linux"/>
+
+    <vulnerability module_path=".*proftpd_133c_backdoor"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>