From owner-freebsd-security Tue Apr 24 9:57:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id D89AC37B422 for ; Tue, 24 Apr 2001 09:57:35 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GCB33E00.72P; Tue, 24 Apr 2001 09:57:14 -0700 Message-ID: <3AE5B07D.9EFE500B@globalstar.com> Date: Tue, 24 Apr 2001 09:57:33 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Victor Sudakov Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> <3AE45EAC.18A180EE@globalstar.com> <20010424100044.B40591@sibptus.tomsk.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Victor Sudakov wrote: [snip] > > Privilege escalation is possible whenever an FTP daemon can be fed > > arbitrary code to execute. > > Do you know of any exploits that can run arbitrary code via ftpd > not with the euid of the user (possible anonymous) , but with root privileges? Here's one from Bugtraq. It claims to run under FreeBSD 4.x (not .3) and OpenBSD 2.8. It does not include code to break from a chroot, so it does not work for that case. However, nothing is stopping you from adding code to break out of the chroot once you have setuid back to root. I have not tested it. No guarantee it works. Have fun. http://www.securityfocus.com/archive/1/176905 -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message