Upgrade the dang server, please!

[Don]

I know it's not the solution you are looking for but proftpd is available via IPKG and it looks like it is the current version. You can download it and use this version instead of the one supplied with the firmware.

Code: Select all

[~] # ipkg update
Downloading http://ipkg.nslu2-linux.org/feeds/optware/ts509/cross/unstable/Packages.gz
Inflating http://ipkg.nslu2-linux.org/feeds/optware/ts509/cross/unstable/Packages.gz
Updated list of available packages in /opt/lib/ipkg/lists/ts509
Successfully terminated.
[~] # ipkg list proftpd
proftpd - 1.3.2-2 - Highly configurable FTP server with SSL-TLS
Successfully terminated.

[titao]

hi all,

proftp is buggy. there's no way around it.
qnap should change to a real ftp server, used by major sites- vsftp

i have installed it on my nas through ipkg but i'm still setting it up

cheers

[rojek]

Great! - I followed the post by "titao" searching for bugs yes found a nasty
security issue affecting proFTP but that one would seem to relate to earlier versions
than 1.3.1rc2 currently supported by QNAP. See below.

I am very interested to see if QNAP proFTP is safe to use as I have it opened to the Internet
and I have lots of other files on that box I do not want to compromise. I am not using plain
FTP but do not know if that is enough to keep my box safe!

I extremely do not appreciate to be put in situation by a vendor like QNAP to be forced to
worry if their a *couple of years* old FTP product is secure enough or not. If I wanted to do
BYO NAS I would not have paid lots of money for their equipment. I think this is quite arrogant
and disrespectful for the customer.

"Affected Versions:
ProFTPD 1.2.7
ProFTPD 1.2.8
ProFTPD 1.2.8rc1
ProFTPD 1.2.8rc2
ProFTPD 1.2.9rc1
ProFTPD 1.2.9rc2

Description:
A vulnerability exists in the ProFTPD server that can be triggered by
remote attackers when transferring files from the FTP server in ASCII
mode. The attacker must have the ability to upload a file to the server,
and then attempt to download the same file to trigger the vulnerability.

The vulnerability occurs when a file is being transferred in ASCII mode.
During a transfer of this type, file data is examined in 1024 byte chunks
to check for newline (\n) characters. The translation of these newline
characters is not handled correctly, and a buffer overflow can manifest if
ProFTPD parses a specially crafted file.

The ProFTPD daemon makes an effort to drop superuser privileges to limit
the privilege level associated with any successful attack. However,
X-Force has demonstrated that this security check can be bypassed, and
superuser access can be gained by a remote attacker.
"

[titao]

hi rojek,

i wouldn't open proftp to the internet....i don't even have it running all the time, only when i need to use it i turn it on. what we have installed by default at our nas is a release candidate, even if you update it through ipkg it's still a rc.

the way proftp code was written it will always be susceptible to buffer overflows.

install vsftp through ipkg and check their home page vsftpd.beasts.org
there you'll find documentation to make it run, that's what i'm doing.

cheers

[rojek]

hi titao,

Thanks for your direct advice - I am going to shut down FTP (wrrr QNAP ) on my NAS in 24 hours.

I would like to try to set vsftpd up but I am not *nix hands on these days. Do I have a chance?
Not to mention I am time poor with two small kids

My first set back is not even *nix... the "Get QPKG" button lists only several packages presumably
preloaded on my unit. I guess I need to use the RSS feed... but this turns up a blank page. I read
http://forum.qnap.com/viewtopic.php?f=85&t=1085 but this "sit back approach" does not make
sense unless I can see the vsftpd package.

Perhaps you (and others) could give me some tips - maybe best thing would be to set a new thread?
"DIY steps on how to replace the QNAP's dang FTP server" for example

[QNAPJason]

Hi guys,
Thanks for the suggrestion about the FTP server. I'll mention it as well as this forum post to our engineers during the review meeting this Thursday.

regards,

Jason

[hornetbzz]

Sorry for the stupid question, but why not to just block ASCII mode transfer within the proftpd config file then it's safe ..?

Thx

[nicklasholm]

Any news on this matter?

[benomg]

bump

How'd that meeting go?

[schumaku]

QNAP obviously sticks to proftpd.

The cited vulnerability does not apply to the proftpd actually in place. There are some more issues to address on the ftp server side. Using a username in a different case can lead to more (or in some cases less) access rights then granted on the server level due to some access controls bypassing and then because of the "everyone" group used all around the NAS.

I expect some action related to these issues, and hope they will go to a non-RC.

As long as such server processes are written in C and run in the more then poor runtime environment of a Linux or generic Unix system, there will be buffer overflow vulnerabilities.

Other OS with much more strict run time checks and servers written in higher languages, and executed in run time environments correctly checking any parameters while passing (at the price of more overhead) have been banned from hacker contests, because it was no fun enough. Except for the system managers like me watching over these systems.

-Kurt.

[Knuspar]

100% with John as well!

[schumaku]

Sorry, what is _your_ point please? Depeite of the potential proftp vulnerability announced very few days ago that will certainly lead to an upgrade, there are no show-stoppers in ftp.

[Knuspar]

Sorry, what is _your_ point please? Depeite of the potential proftp vulnerability announced very few days ago that will certainly lead to an upgrade, there are no show-stoppers in ftp.

If that was in reply to me, I must admit I made a quick reply from the bottom of Page one in the thread. Apoplogies :oops: