-2

A network administrator discovers several unknown files in the root directory of his Linux FTP server. One of the files is a tarball, two are shell script files, and last one is a binary- file is named "nc_ ". The FTP server's access logs show that the anonymous user account logged into the server, uploaded the files, extracted the contents of the tarball and ran the script using a function provided by the FTP server's software. The ps command shows that the nc_* file is running as process nc, and the netstat command shows the nc process is listening on a network port. What kind of vulnerability must be present to make this remote attack possible?

Directory traversal, Privilege escalation, Brute force login or File system permissions

Which is the correct answer ?

Potaito
  • 268
  • 1
  • 8
user8025572
  • 3
  • 2
  • 3
    This looks like a homework question. What has your own research led you to believe, and why? – user May 24 '17 at 10:52
  • And I Think every of the 4 could be the culprit. Extend the Question with the things you already knew (Configurations etc.) and if this is not a homework: tell the administrator to shut down the entire system and set it up fresh. – Serverfrog May 24 '17 at 10:56
  • @MichaelKjörling this is a homework question, actually and I think it's answer is Directory traversal but when I searched about this question I found answer is Privilege escalation with no explanation – user8025572 May 24 '17 at 12:34

1 Answers1

1

Directory Traversal is not it because the FTP user logged in and performed all actions on the same directory. The problem could be that FTP was allowed in this particular location.

Brute Force Login is not it because the problem scope starts after successful login.

File System Permissions is a possible answer, but it depends on the purpose of the FTP site. If you allow people to upload, then you open a lot of doors.

Privilege escalation is most likely, and your hint was:

ran the script using a function provided by the FTP server's software

The question designer meant that the attacker exploited a vulnerable function of the FTP software to permit the running of the binaries.

I don't think it's a great question, and it's asking the reader to forget any other context but focus on the hint in the middle of the question. Look for more of these types of hints in other questions.

schroeder
  • 123,438
  • 55
  • 284
  • 319