From owner-freebsd-security@FreeBSD.ORG Mon Dec 5 19:45:09 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 56EB81065672 for ; Mon, 5 Dec 2011 19:45:09 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id 14DA78FC0A for ; Mon, 5 Dec 2011 19:45:08 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pB5JioAC055050; Mon, 5 Dec 2011 14:44:51 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4EDD1F2F.20802@sentex.net> Date: Mon, 05 Dec 2011 14:44:47 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: d@delphij.net References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> In-Reply-To: <4ED6D577.9010007@delphij.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" , Xin LI , Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 19:45:09 -0000 On 11/30/2011 8:16 PM, Xin LI wrote: > On 11/30/11 17:01, Mike Tancsa wrote: >> On 11/30/2011 7:01 PM, Xin LI wrote: >>> >>>> BTW. This vulnerability affects only configurations, where >>>> /etc/ftpchroot exists or anonymous user is allowed to create >>>> files inside etc and lib dirs. >>> >>> This doesn't seem to be typical configuration or no? > >> I think in shared hosting environments it would be somewhat common. >> For annon ftp, I dont think the anon user would be able to create / >> write to a lib directory. > >>> >>> Will the attached patch fix the problem? >>> >>> (I think libc should just refuse /etc/nsswitch.conf and libraries >>> if they are writable by others by the way) > >> It does not seem to prevent the issue for me. Using Przemyslaw >> program's, > > Sorry I patched at the wrong place, this one should do. > > Note however this is not sufficient to fix the problem, for instance > one can still upload .so's that run arbitrary code at his privilege, > which has to be addressed in libc. I need some time to play around > with libc to really fix this one. Forgive the naive question, but is there a way to prevent a process (in this case proftpd) from loading a .so if the session is in a chrooted environment ? Or if at the start of the process, is there a way to force the process to load a lib so that later on, it wont try and load the "bad" lib ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 5 19:49:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 131D2106564A for ; Mon, 5 Dec 2011 19:49:00 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id EB3808FC08 for ; Mon, 5 Dec 2011 19:48:59 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 781C830CF; Mon, 5 Dec 2011 11:48:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1323114539; bh=P70wvtdvZOm4m3dbLUItIcB4ZR/cuhNyH1ATVUcPXDE=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=aPOtOr27P3tmEGN5sQKMLzz8xDj1Q+2wOUZgGVzEoSMVxl9KYP9jSHKjFQrPQtdKp 0g+AB5B885lD5K7vKNQOpx5P1Bh46IaZTvsU9SCv5iuBLLmuEnMqNrRElRblrttVQr pzU7fyMd/MQC6dVKKj1zyq2UPZAq3LJKIWo1R3Bw= Message-ID: <4EDD2027.9030807@delphij.net> Date: Mon, 05 Dec 2011 11:48:55 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4EDD1F2F.20802@sentex.net> In-Reply-To: <4EDD1F2F.20802@sentex.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 19:49:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/11 11:44, Mike Tancsa wrote: > On 11/30/2011 8:16 PM, Xin LI wrote: >> On 11/30/11 17:01, Mike Tancsa wrote: >>> On 11/30/2011 7:01 PM, Xin LI wrote: >>>> >>>>> BTW. This vulnerability affects only configurations, where >>>>> /etc/ftpchroot exists or anonymous user is allowed to >>>>> create files inside etc and lib dirs. >>>> >>>> This doesn't seem to be typical configuration or no? >> >>> I think in shared hosting environments it would be somewhat >>> common. For annon ftp, I dont think the anon user would be able >>> to create / write to a lib directory. >> >>>> >>>> Will the attached patch fix the problem? >>>> >>>> (I think libc should just refuse /etc/nsswitch.conf and >>>> libraries if they are writable by others by the way) >> >>> It does not seem to prevent the issue for me. Using >>> Przemyslaw program's, >> >> Sorry I patched at the wrong place, this one should do. >> >> Note however this is not sufficient to fix the problem, for >> instance one can still upload .so's that run arbitrary code at >> his privilege, which has to be addressed in libc. I need some >> time to play around with libc to really fix this one. > > Forgive the naive question, but is there a way to prevent a process > (in this case proftpd) from loading a .so if the session is in a > chrooted environment ? Or if at the start of the process, is there > a way to force the process to load a lib so that later on, it wont > try and load the "bad" lib ? Currently no (I thought you were in the cc list in my discussion with kib@?). My initial plan was simply rejecting .so's with wrong permissions but in the discussion turns out that would not be sufficient and we have also considered other ways to do it, e.g. have a wrapper where one can disable them completely. I have not a full solution yet as the change would touch quite a lot of things in the base system... - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk7dICcACgkQOfuToMruuMCwmQCcDggWC5xvH1dik8i55KQXVaQq ZtEAn0OCbzspSS2sKfOs1MsDHc9mw2su =pxAJ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Dec 5 20:34:25 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03BAF106566B for ; Mon, 5 Dec 2011 20:34:25 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id B94718FC1E for ; Mon, 5 Dec 2011 20:34:24 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pB5KYHNF069678; Mon, 5 Dec 2011 15:34:17 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4EDD2AC5.9070505@sentex.net> Date: Mon, 05 Dec 2011 15:34:13 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: d@delphij.net References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4EDD1F2F.20802@sentex.net> <4EDD2027.9030807@delphij.net> In-Reply-To: <4EDD2027.9030807@delphij.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" , Xin Li , Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 20:34:25 -0000 On 12/5/2011 2:48 PM, Xin Li wrote: > > Currently no (I thought you were in the cc list in my discussion with > kib@?). My initial plan was simply rejecting .so's with wrong > permissions but in the discussion turns out that would not be > sufficient and we have also considered other ways to do it, e.g. have > a wrapper where one can disable them completely. I have not a full > solution yet as the change would touch quite a lot of things in the > base system... Hi Xin, yes, I am on the cc list. I vaguely understand the complexity of the issue enough to see its not an easy fix. In the mean time, I was just looking for ways to protect the few boxes I have that run proftpd. Right now running with "rootrevoke on" seems to be the safest, but that has the side effect of killing active connections. ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Mon Dec 5 20:42:20 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B362B106566B for ; Mon, 5 Dec 2011 20:42:20 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 96D398FC0A for ; Mon, 5 Dec 2011 20:42:20 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 4E7EA34AD; Mon, 5 Dec 2011 12:42:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1323117740; bh=fPfglhygPpUQxwvL8RBjYoqIl1gb7O+/LxeB8poEdsQ=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=NUv2tcC12RalTntrAe73hZHcc4sy9wngZeO2LNPEBzBiI84pWgRmeYFR0F8c50ZTg I4hR7W6szhA/vLlpSmxD7Mr0fhTjqr5E6g48j7tISaML/PJWlUk2aDHFGXxlGOUv/p GVVE/T8sQ9OV1luL2QOjIutytrP04Ux5duNbsY0U= Message-ID: <4EDD2CAB.5040706@delphij.net> Date: Mon, 05 Dec 2011 12:42:19 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4EDD1F2F.20802@sentex.net> <4EDD2027.9030807@delphij.net> <4EDD2AC5.9070505@sentex.net> In-Reply-To: <4EDD2AC5.9070505@sentex.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 20:42:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Mike, On 12/05/11 12:34, Mike Tancsa wrote: > On 12/5/2011 2:48 PM, Xin Li wrote: >> >> Currently no (I thought you were in the cc list in my discussion >> with kib@?). My initial plan was simply rejecting .so's with >> wrong permissions but in the discussion turns out that would not >> be sufficient and we have also considered other ways to do it, >> e.g. have a wrapper where one can disable them completely. I >> have not a full solution yet as the change would touch quite a >> lot of things in the base system... > > Hi Xin, yes, I am on the cc list. I vaguely understand the > complexity of the issue enough to see its not an easy fix. In the > mean time, I was just looking for ways to protect the few boxes I > have that run proftpd. Right now running with "rootrevoke on" seems > to be the safest, but that has the side effect of killing active > connections. Oh for now you would probably need to patch proftpd and rtld-elf so that proftpd after chroot immediately tell rtld-elf that no .so's should be loaded from that point. I don't think I would be able to do anything before office hours as I'm working on something else for the company now. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7dLKsACgkQOfuToMruuMAaEwCdHb22DlVkmyzwEwk2c9o+D8gG zpUAn3RvnzzL3LIf6JXh7jH5WLQYY7aE =W4Ob -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Dec 8 21:53:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29929106564A for ; Thu, 8 Dec 2011 21:53:07 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id DFA518FC08 for ; Thu, 8 Dec 2011 21:53:06 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pB8Lqv0T032335; Thu, 8 Dec 2011 16:52:57 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4EE131B8.7040000@sentex.net> Date: Thu, 08 Dec 2011 16:52:56 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: d@delphij.net References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> In-Reply-To: <4ED6DA75.30604@sentex.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" , Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 21:53:07 -0000 On 11/30/2011 8:37 PM, Mike Tancsa wrote: > On 11/30/2011 8:16 PM, Xin LI wrote: >> >> Sorry I patched at the wrong place, this one should do. >> >> Note however this is not sufficient to fix the problem, for instance >> one can still upload .so's that run arbitrary code at his privilege, >> which has to be addressed in libc. I need some time to play around >> with libc to really fix this one. > > Hi, > Yes, that looks better! With respect to users uploading .so files, I > guess why not just upload executables directly ? Although I suppose if > they are not allowed to execute anything, this would be a way around that. > > Now to prod the proftpd folks I was testing sshd when the user's sftp session is chrooted to see how it behaves. Because of the safety design of the way sshd is written, its not possible to do this out of the box. The person would first need to create those files as root since the chroot directory is not writeable by the user as explained in http://www.gossamer-threads.com/lists/openssh/dev/44657 But if somehow the user is able to create those directories at the top, or those directories are created ahead of time for the user thats writeable by them, the bogus lib will and does run in the user's context. I dont imagine this is common, but I am sure there is some potential foot shooting going on. Looking at the scponly port, it seems well aware of this based on the suggested setup. But again, foot shooting could happen if the lib path is not secured properly. Other than having /etc/nsswitch.conf, are there any other methods that would trigger loading of shared libs in the chrooted environment ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Thu Dec 8 22:24:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A6091065670 for ; Thu, 8 Dec 2011 22:24:19 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 4D9D68FC18 for ; Thu, 8 Dec 2011 22:24:19 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 7B13BE281; Thu, 8 Dec 2011 14:24:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1323383059; bh=T0omOaYXntkT1jU6zCuDbbHS97ilV0upxeTg8sufGiY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=HyVfxGKr96UCaMNNbmX3g03L+rNIOJg4H8vl/mQl2NE/oxtYe7w2zfiPqJTimnX8t eXaE9l3SjdoqiOtQfOX9VRcKrNjhyG2ZrWxqkh+vyj2lgEhXtV9lWmx+6Dud0XM/f/ rjiQEz4oeEdhK/5XKV8U7xoOqDNtOHLyyA/psVhc= Message-ID: <4EE13910.2030103@delphij.net> Date: Thu, 08 Dec 2011 14:24:16 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> <4EE131B8.7040000@sentex.net> In-Reply-To: <4EE131B8.7040000@sentex.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 22:24:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/11 13:52, Mike Tancsa wrote: > On 11/30/2011 8:37 PM, Mike Tancsa wrote: >> On 11/30/2011 8:16 PM, Xin LI wrote: >>> >>> Sorry I patched at the wrong place, this one should do. >>> >>> Note however this is not sufficient to fix the problem, for >>> instance one can still upload .so's that run arbitrary code at >>> his privilege, which has to be addressed in libc. I need some >>> time to play around with libc to really fix this one. >> >> Hi, Yes, that looks better! With respect to users uploading .so >> files, I guess why not just upload executables directly ? >> Although I suppose if they are not allowed to execute anything, >> this would be a way around that. >> >> Now to prod the proftpd folks > > I was testing sshd when the user's sftp session is chrooted to see > how it behaves. Because of the safety design of the way sshd is > written, its not possible to do this out of the box. The person > would first need to create those files as root since the chroot > directory is not writeable by the user as explained in > http://www.gossamer-threads.com/lists/openssh/dev/44657 > > But if somehow the user is able to create those directories at the > top, or those directories are created ahead of time for the user > thats writeable by them, the bogus lib will and does run in the > user's context. > > I dont imagine this is common, but I am sure there is some > potential foot shooting going on. Looking at the scponly port, it > seems well aware of this based on the suggested setup. But again, > foot shooting could happen if the lib path is not secured > properly. > > Other than having /etc/nsswitch.conf, are there any other methods > that would trigger loading of shared libs in the chrooted > environment ? PAM and iconv (not enabled by default) come to mind. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hORAACgkQOfuToMruuMCzZACfSmhjQjXck5tQGbMWuKhnQvjo JuwAn2odZWw9Lw8nUqtbl8c2Jzysz/oc =QAvJ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Dec 9 08:21:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 15E5B106564A for ; Fri, 9 Dec 2011 08:21:15 +0000 (UTC) (envelope-from gabor@zahemszky.hu) Received: from default-smtp.integrity.hu (default-smtp.integrity.hu [212.52.165.203]) by mx1.freebsd.org (Postfix) with ESMTP id 8B1A38FC16 for ; Fri, 9 Dec 2011 08:21:15 +0000 (UTC) Received: by smtp.integrity.hu (Postfix, from userid 10000) id C23131346789; Fri, 9 Dec 2011 09:04:39 +0100 (CET) Received: from webmail2.integrity.hu (mail-fe-1.integrity.hu [10.1.64.120]) (Authenticated sender: gabor@zahemszky.hu) by smtp.integrity.hu (Postfix) with ESMTPA id 3535613466D3 for ; Fri, 9 Dec 2011 09:04:39 +0100 (CET) Received: from E8/OtuSu8HvGcSPnBJWevBiiZVXIvHhgTrDRJwhFb1b5Ti0rgdB75w== (8/UD+F0B8/LnBQhsUWAP5oRa1j4PMdfV) by webmail2.integrity.hu with HTTP (HTTP/1.1 POST); Fri, 09 Dec 2011 09:04:39 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 09 Dec 2011 09:04:39 +0100 From: gabor@zahemszky.hu To: In-Reply-To: <4EE131B8.7040000@sentex.net> References: <4ED68B4D.4020004@sentex.net> "<4ED69B7E.50505@frasunek.com>" <4ED6C3C6.5030402@delphij.net> "<4ED6D1CD.9080700@sentex.net>" <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> <4EE131B8.7040000@sentex.net> Message-ID: X-Sender: gabor@zahemszky.hu User-Agent: Roundcube Webmail/0.5.1 X-Virus-Scanned: clamav-milter 0.97 at mail-autosubmit X-Virus-Status: Clean Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 08:21:16 -0000 Hi! Are the following steps enough to prevent me? # for user in user1 user2 .... ; do mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib ~$user/etc done # Bye, Gábor < Gabor at Zahemszky dot HU > From owner-freebsd-security@FreeBSD.ORG Fri Dec 9 08:25:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 536A0106564A for ; Fri, 9 Dec 2011 08:25:11 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-gx0-f182.google.com (mail-gx0-f182.google.com [209.85.161.182]) by mx1.freebsd.org (Postfix) with ESMTP id 141438FC1E for ; Fri, 9 Dec 2011 08:25:10 +0000 (UTC) Received: by ggnp1 with SMTP id p1so4146777ggn.13 for ; Fri, 09 Dec 2011 00:25:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pYOgvF6y9tfVkk0vtFjzs+RjbuQdUoTnn7QiObX9BUw=; b=GejIT9R7VHdE2pPBqvPrvZI3v/IEzeVTPkLiCwj1C99mRDWzSABtVrHHt095Kqug91 ZQ0S7lHES/iZ/EeZu+gzkINdNgevwdysOIDRm4XJytwg5vLYTWZcdtpvTs6H3hKsm1bI Wb0suGVZy/uRofwRPhMVR5lxYMSanLE/lseLs= MIME-Version: 1.0 Received: by 10.182.41.69 with SMTP id d5mr251042obl.47.1323419110324; Fri, 09 Dec 2011 00:25:10 -0800 (PST) Received: by 10.182.15.196 with HTTP; Fri, 9 Dec 2011 00:25:10 -0800 (PST) In-Reply-To: References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> <4EE131B8.7040000@sentex.net> Date: Fri, 9 Dec 2011 00:25:10 -0800 Message-ID: From: Xin LI To: gabor@zahemszky.hu Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 X-List-Received-Date: Fri, 09 Dec 2011 08:25:11 -0000 On Fri, Dec 9, 2011 at 12:04 AM, wrote: > Hi! > > Are the following steps enough to prevent me? > > # for user in user1 user2 .... ; do > mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc > chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib ~$user/etc > done > # Yes that should be sufficient workaround. Cheers, -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die From owner-freebsd-security@FreeBSD.ORG Fri Dec 9 08:39:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA8EB106564A for ; Fri, 9 Dec 2011 08:39:24 +0000 (UTC) (envelope-from egrosbein@rdtc.ru) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id 24D488FC0C for ; Fri, 9 Dec 2011 08:39:23 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.5/8.14.5) with ESMTP id pB98dK7B014234; Fri, 9 Dec 2011 15:39:20 +0700 (NOVT) (envelope-from egrosbein@rdtc.ru) Message-ID: <4EE1C933.4020001@rdtc.ru> Date: Fri, 09 Dec 2011 15:39:15 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.13) Gecko/20110112 Thunderbird/3.1.7 MIME-Version: 1.0 To: Xin LI References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> <4EE131B8.7040000@sentex.net> In-Reply-To: Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Fri, 09 Dec 2011 12:18:53 +0000 Cc: freebsd-security@freebsd.org, gabor@zahemszky.hu Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 08:39:24 -0000 09.12.2011 15:25, Xin LI ÐÉÛÅÔ: > On Fri, Dec 9, 2011 at 12:04 AM, wrote: >> Hi! >> >> Are the following steps enough to prevent me? >> >> # for user in user1 user2 .... ; do >> mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc >> chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib ~$user/etc >> done >> # > > Yes that should be sufficient workaround. Why /lib and /usr/lib only? Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Fri Dec 9 12:24:41 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B5A5E106564A for ; Fri, 9 Dec 2011 12:24:41 +0000 (UTC) (envelope-from gabor@zahemszky.hu) Received: from default-smtp.integrity.hu (default-smtp.integrity.hu [212.52.165.203]) by mx1.freebsd.org (Postfix) with ESMTP id 6EBF28FC12 for ; Fri, 9 Dec 2011 12:24:41 +0000 (UTC) Received: by smtp.integrity.hu (Postfix, from userid 10000) id 1F1A1134678D; Fri, 9 Dec 2011 13:24:40 +0100 (CET) Received: from webmail2.integrity.hu (mail-fe-1.integrity.hu [10.1.64.120]) (Authenticated sender: gabor@zahemszky.hu) by smtp.integrity.hu (Postfix) with ESMTPA id 79A761346707 for ; Fri, 9 Dec 2011 13:24:39 +0100 (CET) Received: from M2s+KtN04talJ9t9azN057FB+ZVZ7PTER5laDTQ/5qi8hVicX2C4bA== (uPHzQytkKCXOltmF39jd8IAxrEecM26P) by webmail2.integrity.hu with HTTP (HTTP/1.1 POST); Fri, 09 Dec 2011 13:24:39 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Fri, 09 Dec 2011 13:24:39 +0100 From: gabor@zahemszky.hu To: In-Reply-To: <4EE1C933.4020001@rdtc.ru> References: <4ED68B4D.4020004@sentex.net> "<4ED69B7E.50505@frasunek.com>" <4ED6C3C6.5030402@delphij.net> "<4ED6D1CD.9080700@sentex.net>" <4ED6D577.9010007@delphij.net> "\"<4ED6DA75.30604@sentex.net>" <4EE131B8.7040000@sentex.net>" <4EE1C933.4020001@rdtc.ru> Message-ID: X-Sender: gabor@zahemszky.hu User-Agent: Roundcube Webmail/0.5.1 X-Virus-Scanned: clamav-milter 0.97 at mail-autosubmit X-Virus-Status: Clean Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 12:24:41 -0000 On Fri, 09 Dec 2011 15:39:15 +0700, Eugene Grosbein wrote: > 09.12.2011 15:25, Xin LI пишет: >> On Fri, Dec 9, 2011 at 12:04 AM, wrote: >>> Hi! >>> >>> Are the following steps enough to prevent me? >>> >>> # for user in user1 user2 .... ; do >>> mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc >>> chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib >>> ~$user/etc >>> done >>> # >> >> Yes that should be sufficient workaround. > > Why /lib and /usr/lib only? ??? /lib, /usr/lib and /etc. Which directory is missing? Gábor < Gabor at Zahemszky dot HU > From owner-freebsd-security@FreeBSD.ORG Fri Dec 9 12:30:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B52C3106566B for ; Fri, 9 Dec 2011 12:30:16 +0000 (UTC) (envelope-from eugen@grosbein.pp.ru) Received: from eg.sd.rdtc.ru (eg.sd.rdtc.ru [IPv6:2a03:3100:c:13::5]) by mx1.freebsd.org (Postfix) with ESMTP id E58048FC0C for ; Fri, 9 Dec 2011 12:30:15 +0000 (UTC) Received: from eg.sd.rdtc.ru (localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.5/8.14.5) with ESMTP id pB9CUDMh016139; Fri, 9 Dec 2011 19:30:13 +0700 (NOVT) (envelope-from eugen@grosbein.pp.ru) Message-ID: <4EE1FF50.403@grosbein.pp.ru> Date: Fri, 09 Dec 2011 19:30:08 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; ru-RU; rv:1.9.2.13) Gecko/20110112 Thunderbird/3.1.7 MIME-Version: 1.0 To: gabor@zahemszky.hu References: <4ED68B4D.4020004@sentex.net> "<4ED69B7E.50505@frasunek.com>" <4ED6C3C6.5030402@delphij.net> "<4ED6D1CD.9080700@sentex.net>" <4ED6D577.9010007@delphij.net> "\"<4ED6DA75.30604@sentex.net>" <4EE131B8.7040000@sentex.net>" <4EE1C933.4020001@rdtc.ru> In-Reply-To: Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2011 12:30:16 -0000 09.12.2011 19:24, gabor@zahemszky.hu ÐÉÛÅÔ: > On Fri, 09 Dec 2011 15:39:15 +0700, Eugene Grosbein wrote: >> 09.12.2011 15:25, Xin LI ÐÉÛÅÔ: >>> On Fri, Dec 9, 2011 at 12:04 AM, wrote: >>>> Hi! >>>> >>>> Are the following steps enough to prevent me? >>>> >>>> # for user in user1 user2 .... ; do >>>> mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc >>>> chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib >>>> ~$user/etc >>>> done >>>> # >>> >>> Yes that should be sufficient workaround. >> >> Why /lib and /usr/lib only? > > ??? /lib, /usr/lib and /etc. > > Which directory is missing? I do not know and therefore, ask. What guarantees that no other directory may be used to load a library from? Eugene Grosbein