From owner-freebsd-security  Tue Mar  6 10:27:40 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mta6.snfc21.pbi.net (mta6.snfc21.pbi.net [206.13.28.240])
	by hub.freebsd.org (Postfix) with ESMTP id 2498137B71A
	for <freebsd-security@FreeBSD.ORG>; Tue,  6 Mar 2001 10:27:36 -0800 (PST)
	(envelope-from rjmcintire@earthlink.net)
Received: from emilyd ([64.161.77.242])
 by mta6.snfc21.pbi.net (Sun Internet Mail Server sims.3.5.2000.01.05.12.18.p9)
 with SMTP id <0G9S00KD9GF8DG@mta6.snfc21.pbi.net> for
 freebsd-security@FreeBSD.ORG; Tue,  6 Mar 2001 10:23:32 -0800 (PST)
Date: Tue, 06 Mar 2001 10:23:32 -0800
From: "Riley J. McIntire" <rjmcintire@earthlink.net>
Subject: RE: ftp access
In-reply-to: <20010306092420.A17428@ringworld.oblivion.bg>
To: Peter Pentchev <roam@orbitel.bg>,
	Dag-Erling Smorgrav <des@ofug.org>
Cc: Adam <bsdx@looksharp.net>,
	"Aaron D.Gifford" <agifford@infowest.com>,
	freebsd-security@FreeBSD.ORG
Message-id: <NCBBLBILEPCHLFJAPIIPEEJDFGAA.rjmcintire@earthlink.net>
MIME-version: 1.0
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Importance: Normal
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400
X-Priority: 3 (Normal)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

>
> On Tue, Mar 06, 2001 at 03:59:52AM +0100, Dag-Erling Smorgrav wrote:
> > Adam <bsdx@looksharp.net> writes:
> > > What happens if they have a valid ftp account, login, and run !sh ?
> >
> > They get a shell on the box they're FTPing from.
>
> ..which happens to be the box they logged in *to*, since /usr/bin/ftp
> is effectively their login shell.  Yes, that's bad.
>
> G'luck,
> Peter

No, looks to me like the shell is piped (not sure this is exactly how it
works...) through the login shell (ftp_only).  It gives an error:

root@worm# telnet aji
Trying 10.100.100.100...
Connected to aji
Escape character is '^]'.

FreeBSD/i386 (aji) (ttyp2)
login: rjm
Password:
Last login: Tue Mar  6 10:06:20 from worm
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.

FreeBSD 4.2-RELEASE (AJI) #0: Sat Dec  9 13:27:56 PST 2000

// motd display snipped

You have new mail.
This account is for ftp only
Connected to localhost.
220 aji FTP server (Version 6.00LS) ready.
Name (localhost:rjm):
331 Password required for rjm.
Password:
230 User rjm logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> !/bin/sh
ftp: /sbin/ftp_only: Exec format error
ftp> !
ftp: /sbin/ftp_only: Exec format error


Riley


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message