From owner-freebsd-ports-bugs@FreeBSD.ORG  Wed Jan 14 09:10:21 2004
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9307E16A4CE
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed, 14 Jan 2004 09:10:21 -0800 (PST)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CD91443D48
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Wed, 14 Jan 2004 09:10:13 -0800 (PST)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	i0EHADFR017613	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Wed, 14 Jan 2004 09:10:13 -0800 (PST)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i0EHAD1r017612;
	Wed, 14 Jan 2004 09:10:13 -0800 (PST)
	(envelope-from gnats)
Resent-Date: Wed, 14 Jan 2004 09:10:13 -0800 (PST)
Resent-Message-Id: <200401141710.i0EHAD1r017612@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Radim Kolar <hsn@netmag.cz>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 1F66716A4CE; Wed, 14 Jan 2004 09:06:55 -0800 (PST)
Received: from mail.tiscali.cz (stateless3.tiscali.cz [213.235.135.72])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 5584143D5A; Wed, 14 Jan 2004 09:06:53 -0800 (PST)
	(envelope-from hsn@netmag.cz)
Received: from asura.bsd (212.11.96.192) by mail.tiscali.cz (6.7.018)
        id 3FB9693500E4A436; Wed, 14 Jan 2004 18:02:31 +0100
Received: from hsn by asura.bsd with local (Exim 4.24 #4 (Debian))
	id 1AgOmQ-0004Kp-2I; Tue, 13 Jan 2004 14:40:26 +0100
Message-Id: <E1AgOmQ-0004Kp-2I@asura.bsd>
Date: Tue, 13 Jan 2004 14:40:26 +0100
From: Radim Kolar <hsn@netmag.cz>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
cc: security-officer@FreeBSD.org
cc: trevor@FreeBSD.org
Subject: ports/61364: fspd:remote exploitable security hole 
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: Radim Kolar <hsn@netmag.cz>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2004 17:10:21 -0000


>Number:         61364
>Category:       ports
>Synopsis:       fspd:remote exploitable security hole
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 14 09:10:13 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Radim Kolar
>Release:        FreeBSD 5.2-RELEASE i386
>Organization:
Sanatana Dharma 
>Environment:
System: FreeBSD asura.bsd 5.2-RELEASE FreeBSD 5.2-RELEASE #0: Sat Jan 10 23:01:11 CET 2004 root@asura.bsd:/usr/src/sys/i386/compile/GENERIC i386

>Description:
ports/net/fspd 281b3 is a very old fsp daemon which is slow and has some major
security issues, so nobody should run this junk anymore. You can get
newer version from http://fsp.sourceforge.net/ and repackage it.
Current version is autoconfed. There will be fsp281b19 shortly which
has my 2-line patch for clean bsd compile.
 
It has two major security problem: 
1) root escape
2) buffer overflow when checking paths

>How-To-Repeat:
You can get independant fsp protocol stacks from fsp.sf.net and write
a nice exploits. FSPD can not be exploited using standard tools provided
with fsp of by fspclient. I had fsp exploit before, but after Debian group
update their fsp distribution, i have deleted them. I have send my exploit
to packetstormsecurity and Debian security team in December,
but they do not published it nor made announcement. I have no experience
with dealing with security holes but i had surpriced that both groups
ignored this problem. 

These funny path for root escape looks like /../../z/y/z. If i remmember
correctly fspd rejects pathes starting with dot so ../.. do not works. 

>Fix:
remove old junk asap from mirrors, upgrade port. Take a rest. FSP is a very usefull
thing, my ISP do not counts UDP in my month quota. FSP is about 3x slower
than TCP.

Radim Kolar
current maintainer of fsp protocol suite
>Release-Note:
>Audit-Trail:
>Unformatted: