From owner-freebsd-security  Tue May 22 21:59:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sbtx.tmn.ru (sbtx.tmn.ru [212.76.160.49])
	by hub.freebsd.org (Postfix) with ESMTP id 6192C37B424
	for <freebsd-security@FreeBSD.ORG>; Tue, 22 May 2001 21:59:09 -0700 (PDT)
	(envelope-from serg@sbtx.tmn.ru)
Received: from sv.tech.sibitex.tmn.ru (sv.tech.sibitex.tmn.ru [212.76.160.59])
	by sbtx.tmn.ru (8.11.1/8.11.1) with ESMTP id f4N4x7T10593;
	Wed, 23 May 2001 10:59:07 +0600 (YEKST)
	(envelope-from serg@sbtx.tmn.ru)
Received: (from serg@localhost)
	by sv.tech.sibitex.tmn.ru (8.11.3/8.11.3) id f4N4x7f15413;
	Wed, 23 May 2001 10:59:07 +0600 (YEKST)
	(envelope-from serg)
Date: Wed, 23 May 2001 10:59:07 +0600
From: "Sergey N. Voronkov" <serg@tmn.ru>
To: Alex <alex@nixfreak.org>
Cc: Kris Kennaway <kris@obsecurity.org>, freebsd-security@FreeBSD.ORG
Subject: Re: Is there a ftp vuln in 4.3-STABLE
Message-ID: <20010523105907.A15346@sv.tech.sibitex.tmn.ru>
References: <20010523100448.A15088@sv.tech.sibitex.tmn.ru> <Pine.BSF.4.32.0105230033440.1300-100000@magnetar.blackhatnetworks.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.32.0105230033440.1300-100000@magnetar.blackhatnetworks.com>; from alex@nixfreak.org on Wed, May 23, 2001 at 12:35:15AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Wed, May 23, 2001 at 12:35:15AM -0400, Alex wrote:
> > When I'v found this staff in my logfiles I'v change native ftpd to luke's
> > one. Sorry, can't get core to you... And don't want to setup native daemon
> > to provide potential hole to someone.
> >
> > May 16 15:50:34 ftp /kernel: pid 5272 (ftpd), uid 14: exited on signal 11
> > May 17 21:02:20 ftp /kernel: pid 11157 (ftpd), uid 14: exited on signal 11
> 
> 	Who owns UID 14 own that machine?  Not root I presume.  So the
> process itself that segmentation faulted wasn't actually executed by root.
> Is UID 14 an FTP account for running the daemon?
> 

UID 14 is for FS access only. ftpd is running with root privileges, becose
it can't make new connection from privileged port (ftp-data, for example)
when it isn't root-privileged. So, any potential hole or buffer overflow in
ftpd is permission to someone to get root shell onto your ftpserver.
chroot'ed shell, but root's in any case.

About UID 14: It'l be very very nice if someone can tell me about dumping
core from seteuid'ed ftpd to ANY specifyed directory?

Bye,

Serg.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message