4837 Total CVEs
26 Years
GitHub
Home / 2024 / CVE-2024-48208
README.md
Rendering markdown...
POC / VMsetup.txt TXT
⬇ Raw GitHub ✕ Close 
Sections:
	Building Pure-ftpd
	Setting up Chroot Jailed Accounts
	Config and Running Pure-ftpd
	Pwning Process



Ubuntu 22.04.5 LTS

sudo apt update
sudo apt upgrade
sudo apt install gcc make

=================================================================================
=================================================================================
Download, Patch, Configure and make Pure-ftpd
=================================================================================
=================================================================================\

wget https://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.50.tar.gz
tar -xzf pure-ftpd-1.0.50.tar.gz
cd pure-ftpd-1.0.50
# patching src code for reduced reply buffer size
sed -i '305s/.*/static char replybuf[55U];/' src/ftpd.c
sed -i '4865s/.*/\tint display_banner = 0;/' src/ftpd.c
./configure --with-puredb --with-virtualchroot
sudo make install
cd ..

=================================================================================
=================================================================================
Create Two Chroot Jailed Account That Can't Go Ouside of /home/<user> for demo purposes

	I did this cuz i can't figure out how to throw the symlink onto the server using ftp only
	without ssh, also it seems like the symlink exploit only works on folders with read access.
	This is basically strong arming a kinda possible scenario where ssh is present but listing 
	directory on upper levels isn't possible.
=================================================================================
=================================================================================

sudo su
groupadd chroot
# add user Note: shell exists for ssh and writing the symlink
useradd -m -d /home/bob -g chroot -s /bin/bash bob
useradd -m -d /home/eve -g chroot -s /bin/bash eve
# add password
passwd bob
passwd eve

# chroot jail ssh setup https://www.tecmint.com/restrict-ssh-user-to-directory-using-bobed-jail/
sudo su
mkdir -p /home/bob/dev/
cd /home/bob/dev/
mknod -m 666 null c 1 3
mknod -m 666 tty c 5 0
mknod -m 666 zero c 1 5
mknod -m 666 random c 1 8

# Copy utilities
mkdir -p /home/bob/bin
cp -v /bin/{bash,ls,ln,rm,mkdir} /home/bob/bin/
# Copy utility dependencies
mkdir -p /home/bob/lib
mkdir -p /home/bob/lib64
cp -v /lib/x86_64-linux-gnu/{libc.so.6,libtinfo.so.6,libpcre2-8.so.0,libselinux.so.1} /home/bob/lib
cp -v /lib64/ld-linux-x86-64.so.2 /home/bob/lib64
# Copy password
mkdir /home/bob/etc
cp -vf /etc/{passwd,group} /home/bob/etc/

rsync -av --exclude '.*' /home/bob/ /home/eve/

# Access Control
chown root:root /home/bob
chown root:root /home/eve

mkdir /home/bob/home
mkdir /home/eve/home
chown bob:chroot /home/bob/home
chown eve:chroot /home/eve/home

chmod 0755 -R /home/bob
chmod 0755 -R /home/eve

# ssh Chroot setup
echo 'Match Group chroot' >> /etc/ssh/sshd_config
echo 'ChrootDirectory %h' >> /etc/ssh/sshd_config
systemctl restart sshd

=================================================================================
=================================================================================
Pure-ftpd config
=================================================================================
=================================================================================

# add pure-ftpd user 
# Note: ftp chroot is different from system chroot since we need to create symlink at the ftp 
#       chroot dir but system chroot is required to be 0755 (drwxr_xr_x) for ssh to work somehow
pure-pw useradd bob -u bob -d /home/bob/home
pure-pw useradd eve -u eve -d /home/eve/home
pure-pw mkdb

# run pure-ftpd
# -A: chroot non-root users
# -E: prohibit anonymous login
# -j: auto create user home dir
# -l: login db file
sudo /usr/local/sbin/pure-ftpd -A -E -j -l puredb:/etc/pureftpd.pdb

NOTE: If the above command does not work with the exploit try using the following command instead:
sudo /usr/local/sbin/pure-ftpd -A -j -l puredb:/etc/pureftpd.pdb -E -u 1000 -d --verboselog

=================================================================================
=================================================================================
Pwning Process
=================================================================================
=================================================================================
For demo maybe ssh into the server to show how restrictive it is, since
most files are owned by root and we cannot see upper levels of directories or other
users' directories.

Now on another machine run pure.py, which will print out the dir on the server that
you are trying to peek into.
python3 pure.py <server ip> 21 <username> <password> <attack dir>

Server File Structure:
-root	
--home
---root account
---bob system chroot
----bob pure-ftpd chroot
---eve system chroot
----eve pure-ftpd chroot

Normally bob and eve can only view folders under system chroot and create file in
pure-ftpd chroot. With the CVE bob and eve can peek whereever. (with read access :( )