Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Apr 2001 09:57:33 -0700
From:      "Crist Clark" <crist.clark@globalstar.com>
To:        Victor Sudakov <sudakov@sibptus.tomsk.ru>
Cc:        Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@FreeBSD.ORG
Subject:   Re: Q: Impact of globbing vulnerability in ftpd
Message-ID:  <3AE5B07D.9EFE500B@globalstar.com>
References:  <20010423111632.B17342@sibptus.tomsk.ru> <xzpitjvgbub.fsf@flood.ping.uio.no> <20010423190737.A25969@sibptus.tomsk.ru> <xzpae57fyzl.fsf@flood.ping.uio.no> <3AE45EAC.18A180EE@globalstar.com> <20010424100044.B40591@sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help 
Victor Sudakov wrote:
[snip]

> > Privilege escalation is possible whenever an FTP daemon can be fed
> > arbitrary code to execute.
> 
> Do you know of any exploits that can run arbitrary code via ftpd
> not with the euid of the user (possible anonymous) , but with root privileges?

Here's one from Bugtraq. It claims to run under FreeBSD 4.x (not .3) and 
OpenBSD 2.8. It does not include code to break from a chroot, so it does not 
work for that case. However, nothing is stopping you from adding code to break 
out of the chroot once you have setuid back to root. 

I have not tested it. No guarantee it works. Have fun.

  http://www.securityfocus.com/archive/1/176905

-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AE5B07D.9EFE500B>