From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 01:16:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4A6E5106566B for ; Thu, 1 Dec 2011 01:16:40 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 2B7FB8FC0C for ; Thu, 1 Dec 2011 01:16:40 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id D966CE945; Wed, 30 Nov 2011 17:16:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1322702200; bh=W4QZ4rjxAasDaF03PR77vtaLGZFcD0byAQWHGj0NMfY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type; b=qy7zHVlkPMVvFmVcfI50sU0vHcfFSs9fzvILer3w9NvbGwrzBatowGwVvbd5KKtJc o9mrUkOCBIa507hwO8Zlw/ACBBANhr3T1hJs/AwLbuaoo3r0adJCrDTORO5eAVamz8 uyEButvN+HSnECzWv6n0bokCdno56kCKlWKPQCQ0= Message-ID: <4ED6D577.9010007@delphij.net> Date: Wed, 30 Nov 2011 17:16:39 -0800 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> In-Reply-To: <4ED6D1CD.9080700@sentex.net> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------050602040905040808070901" Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 01:16:40 -0000 This is a multi-part message in MIME format. --------------050602040905040808070901 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/30/11 17:01, Mike Tancsa wrote: > On 11/30/2011 7:01 PM, Xin LI wrote: >> >>> BTW. This vulnerability affects only configurations, where >>> /etc/ftpchroot exists or anonymous user is allowed to create >>> files inside etc and lib dirs. >> >> This doesn't seem to be typical configuration or no? > > I think in shared hosting environments it would be somewhat common. > For annon ftp, I dont think the anon user would be able to create / > write to a lib directory. > >> >> Will the attached patch fix the problem? >> >> (I think libc should just refuse /etc/nsswitch.conf and libraries >> if they are writable by others by the way) > > It does not seem to prevent the issue for me. Using Przemyslaw > program's, Sorry I patched at the wrong place, this one should do. Note however this is not sufficient to fix the problem, for instance one can still upload .so's that run arbitrary code at his privilege, which has to be addressed in libc. I need some time to play around with libc to really fix this one. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJO1tV2AAoJEATO+BI/yjfBua8IAIt5FYjnMswOL/GPwcEaJaAJ reZxS5a1jBtqMOO1RhAlvDK9SVTYhWVOwQLUWmJz7iln+NissW9fQeYyG6bmfRxX l583Aiobk1Lgp+HRJQIEj2JjajoZkj7RjUrYa4a8lZQxNmVUXE/RqRgM2/FbuU4C ejQd5xRQdG+kMq9vUmYk4QP7ql32uv48sSTwklau6Jz5zMpXSvvx2awe8aZImB2R pWklWcT4VUSiEbrREvP/ZNJt+BjQAZw3V2Lc0j7c9AbLnj84KRgmUS+dTMTdPoyD nRavZQzppvxRf3tVrth5FuSsIdR5491Sa3ykzFpNKToqY4CtkRvAofZfBx0mQws= =9B6u -----END PGP SIGNATURE----- --------------050602040905040808070901 Content-Type: text/plain; name="popen.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="popen.diff" Index: libexec/ftpd/popen.c =================================================================== --- libexec/ftpd/popen.c (revision 228164) +++ libexec/ftpd/popen.c (working copy) @@ -143,6 +143,9 @@ } (void)close(pdes[1]); } + /* Drop privileges before proceeding */ + if (getuid() != geteuid() && setuid(geteuid()) < 0) + _exit(1); if (strcmp(gargv[0], _PATH_LS) == 0) { /* Reset getopt for ls_main() */ optreset = optind = optopt = 1; --------------050602040905040808070901--