Xref: utzoo alt.security:722 comp.protocols.tcp-ip:11518 alt.sys.sun:927
Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!usc!snorkelwacker!think!sdd.hp.com!uakari.primate.wisc.edu!aplcen!unmvax!sci.ccny.cuny.edu!cucard!dasys1!cooper!phri!sci.ccny.cuny.edu!rpi!zaphod.mps.ohio-state.edu!math.lsa.umich.edu!emv
From: emv@math.lsa.umich.edu (Edward Vielmetti)
Newsgroups: alt.security,comp.protocols.tcp-ip,alt.sys.sun
Subject: anonymous ftp, and the dangers thereof
Message-ID: <EMV.90Apr18204600@picasso.math.lsa.umich.edu>
Date: 3 Jun 90 07:24:40 GMT
Sender: news@math.lsa.umich.edu
Organization: University of Michigan Math Dept., Ann Arbor MI.
Lines: 50


from ftpd(8):
BUGS
     The anonymous account is inherently dangerous and should  be
     avoided when possible.

Despite this dire warning, there are over 500 systems on the internet
which support anonymous FTP.  There are known bugs in several versions
of ftpd which allow crackers to break in; word about this spread rather
quickly around some parts of the net just before the internet worm hit.
The worm didn't expose these vulnerabilities, so there's good reason
to believe that some people are still at risk.

ftpd identifies itself in the login banner like so:

220 stag.math.lsa.umich.edu FTP server (Version 5.55 Tue Apr 17 20:44:35 EDT 1990) ready.

so that a potential cracker need only retrieve this one piece of
information to see whether a system might be susceptible to attack.
There's no guarantee that the date in this banner is the actual
date that the code was fixed, nor does the version number seem to
mean much; but if the version is well known the means of entry can
be assured.  Any BSD'ish system with a date earlier than the berkeley
fixes posted 10/31/88 and 11/18/88 is an easy target, as are systems
for which vendors have supplied fixes.

I would estimate by a sampling of these banners that one host in 10
that does anonymous FTP is vulnerable.  

Some sites keep anonymous FTP directories to be world-writable,
letting any random internet user drop a file in a directory.  If you
see a file named GETMONEY.txt, makemoney.doc, or sex-bbs.doc (or
variations on same) in your FTP directory, this is why.  It is not
good practice to allow random anonymous users to scribble into
directories; several sensible systems have "upload" or "tmp"
directories for submissions, from which an archive manager will
move files into their real homes.  The problem of allowing remote
users to update archives which belong to them should be addressed
with ordinary passworded accounts.

Despite the widespread use of anonymous FTP, the internet RFC's
provide no guidelines to its use or configuration.  The conventions
that define anonymous FTP, its risks, and suggestions on how
to set up a good FTP site should be collected in the form of
an RFC on anonymous ftp.

--Ed

Edward Vielmetti, U of Michigan math dept.
emv@math.lsa.umich.edu