CVE-1999-1344

Vulnerability

Auto_FTP 0.2, a Perl script that automatically transfers files placed in a shared directory to a remote FTP site, stores the FTP server username, password, and IP address in plaintext in the configuration file /etc/auto_ftp.conf [1]. The default shared directory is /tmp/ftp_tmp, which is readable by all local users [1]. The script does not verify the identity of the user placing files into the shared directory, so any local user can cause arbitrary files to be transferred [1].

Exploitation

An attacker with local shell access to the machine running Auto_FTP can simply read /etc/auto_ftp.conf if the file is world-readable (a typical default) [1]. No special authentication or privileges are required beyond the ability to list and read files in /etc. Additionally, the attacker can place any file into /tmp/ftp_tmp to have it automatically uploaded to the remote FTP site, without the script checking the source user [1].

Impact

Successful exploitation leads to disclosure of the FTP credentials (username and password), which may be reused on other systems or allow the attacker to directly log into the remote FTP server [1]. Furthermore, the attacker can upload arbitrary files to the remote FTP site, potentially causing data integrity or availability issues [1].

Mitigation

The advisory from October 5, 1999, describes the vulnerabilities but does not mention a patched version or workaround from the vendor [1]. Users are advised to avoid using Auto_FTP for sensitive transfers; if continued use is required, the configuration file and shared directory should be restricted to the minimum set of trusted users via file permissions (e.g., chmod 600 /etc/auto_ftp.conf and chmod 700 /tmp/ftp_tmp), though this is not a complete fix [1]. No vendor-supplied patch is documented in the available reference.