Can NOOP command executes without user log in on vsftpd?
Environment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- vsftpd
Issue
Can NOOP command executes without user log in on vsftpd?
Resolution
NOOP command execution needs to login the server.
Root Cause
The vsftpd source code is here.
<postlogin.c>
void
process_post_login(struct vsf_session* p_sess)
{
...
<snip>
else if (str_equal_text(&p_sess->ftp_cmd_str, "NOOP"))
{
vsf_cmdio_write(p_sess, FTP_NOOPOK, "NOOP ok.");
}
...
}
<oneprocess.c>
void
vsf_one_process_login(struct vsf_session* p_sess,
const struct mystr* p_pass_str)
{
enum EVSFPrivopLoginResult login_result =
vsf_privop_do_login(p_sess, p_pass_str);
switch (login_result)
{
case kVSFLoginFail:
return;
break;
case kVSFLoginAnon:
p_sess->is_anonymous = 1;
process_post_login(p_sess);
break;
default:
bug("bad state in vsf_one_process_login");
break;
}
}
According to source code, NOOP command need to log in the server.
Sample results are below.
-
RHEL5.8
$ echo -en 'USER anonymous\nPASS test\nNOOP\r\nQUIT\r\n' | nc -w 5 -n 192.168.122.14 21
220 (vsFTPd 2.0.5)
331 Please specify the password.
230 Login successful.
200 NOOP ok.
221 Goodbye. -
RHEL6.3
$ echo -en 'USER anonymous\nPASS test\nNOOP\r\nQUIT\r\n' | nc -w 5 -n 192.168.122.35 21
220 (vsFTPd 2.2.2)
331 Please specify the password.
230 Login successful.
200 NOOP ok.
221 Goodbye.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments