From owner-freebsd-security@FreeBSD.ORG Thu Dec 8 21:53:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 29929106564A for ; Thu, 8 Dec 2011 21:53:07 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id DFA518FC08 for ; Thu, 8 Dec 2011 21:53:06 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pB8Lqv0T032335; Thu, 8 Dec 2011 16:52:57 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4EE131B8.7040000@sentex.net> Date: Thu, 08 Dec 2011 16:52:56 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: d@delphij.net References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> In-Reply-To: <4ED6DA75.30604@sentex.net> X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" , Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 21:53:07 -0000 On 11/30/2011 8:37 PM, Mike Tancsa wrote: > On 11/30/2011 8:16 PM, Xin LI wrote: >> >> Sorry I patched at the wrong place, this one should do. >> >> Note however this is not sufficient to fix the problem, for instance >> one can still upload .so's that run arbitrary code at his privilege, >> which has to be addressed in libc. I need some time to play around >> with libc to really fix this one. > > Hi, > Yes, that looks better! With respect to users uploading .so files, I > guess why not just upload executables directly ? Although I suppose if > they are not allowed to execute anything, this would be a way around that. > > Now to prod the proftpd folks I was testing sshd when the user's sftp session is chrooted to see how it behaves. Because of the safety design of the way sshd is written, its not possible to do this out of the box. The person would first need to create those files as root since the chroot directory is not writeable by the user as explained in http://www.gossamer-threads.com/lists/openssh/dev/44657 But if somehow the user is able to create those directories at the top, or those directories are created ahead of time for the user thats writeable by them, the bogus lib will and does run in the user's context. I dont imagine this is common, but I am sure there is some potential foot shooting going on. Looking at the scponly port, it seems well aware of this based on the suggested setup. But again, foot shooting could happen if the lib path is not secured properly. Other than having /etc/nsswitch.conf, are there any other methods that would trigger loading of shared libs in the chrooted environment ? ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/