From owner-freebsd-security Mon Apr 23 19: 2:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16]) by hub.freebsd.org (Postfix) with ESMTP id 1E0ED37B423 for ; Mon, 23 Apr 2001 19:02:28 -0700 (PDT) (envelope-from sudakov@sibptus.tomsk.ru) Received: (from sudakov@localhost) by sibptus.tomsk.ru (8.9.3/8.9.3) id KAA40783; Tue, 24 Apr 2001 10:00:45 +0800 (KRAST) (envelope-from sudakov) Date: Tue, 24 Apr 2001 10:00:44 +0800 From: Victor Sudakov To: Crist Clark Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd Message-ID: <20010424100044.B40591@sibptus.tomsk.ru> References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> <3AE45EAC.18A180EE@globalstar.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <3AE45EAC.18A180EE@globalstar.com>; from crist.clark@globalstar.com on Mon, Apr 23, 2001 at 09:56:12AM -0700 Organization: AO "Svyaztransneft", SibPTUS Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 23, 2001 at 09:56:12AM -0700, Crist Clark wrote: > Dag-Erling Smorgrav wrote: > > > > Victor Sudakov writes: > > > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > > > > As far as I understand, it can be exploited only after a user has > > > > > logged in, so ftpd is already chrooted > > > > Not necessarily. > > > Anonymous account is always chrooted. I think you have to play > > > with the source to disable this. > > > > The logged-in user is not necessarily anonymous. > > > > > > Run arbitrary code on the target machine, which may perform operations > > > > (such as creating new directories to store warez) which the FTP server > > > > normally doesn't allow the user to perform, > > > How is this possible if ftpd drops root privileges after > > > successful login? > > > > I didn't claim the code would run as root. It would run as the > > logged-in user, or user "ftp" in case of an anonymous login. > > The FTP daemon does _NOT_ drop privileges. It changes effective user > ID only. (Do a 'ps -axo pid,command,user,ruser | grep ftpd' on a running > daemon.) I see. > > > > So, if the users already have shell accounts, this security hole > > > does not matter for me, does it? > > > > Probably not. Depends on your anonftp setup. > > Privilege escalation is possible whenever an FTP daemon can be fed > arbitrary code to execute. Do you know of any exploits that can run arbitrary code via ftpd not with the euid of the user (possible anonymous) , but with root privileges? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/149@fidonet http://vas.tomsk.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message