From owner-freebsd-security@FreeBSD.ORG Thu Dec 8 22:24:19 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6A6091065670 for ; Thu, 8 Dec 2011 22:24:19 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 4D9D68FC18 for ; Thu, 8 Dec 2011 22:24:19 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 7B13BE281; Thu, 8 Dec 2011 14:24:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1323383059; bh=T0omOaYXntkT1jU6zCuDbbHS97ilV0upxeTg8sufGiY=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=HyVfxGKr96UCaMNNbmX3g03L+rNIOJg4H8vl/mQl2NE/oxtYe7w2zfiPqJTimnX8t eXaE9l3SjdoqiOtQfOX9VRcKrNjhyG2ZrWxqkh+vyj2lgEhXtV9lWmx+6Dud0XM/f/ rjiQEz4oeEdhK/5XKV8U7xoOqDNtOHLyyA/psVhc= Message-ID: <4EE13910.2030103@delphij.net> Date: Thu, 08 Dec 2011 14:24:16 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4ED6DA75.30604@sentex.net> <4EE131B8.7040000@sentex.net> In-Reply-To: <4EE131B8.7040000@sentex.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2011 22:24:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/11 13:52, Mike Tancsa wrote: > On 11/30/2011 8:37 PM, Mike Tancsa wrote: >> On 11/30/2011 8:16 PM, Xin LI wrote: >>> >>> Sorry I patched at the wrong place, this one should do. >>> >>> Note however this is not sufficient to fix the problem, for >>> instance one can still upload .so's that run arbitrary code at >>> his privilege, which has to be addressed in libc. I need some >>> time to play around with libc to really fix this one. >> >> Hi, Yes, that looks better! With respect to users uploading .so >> files, I guess why not just upload executables directly ? >> Although I suppose if they are not allowed to execute anything, >> this would be a way around that. >> >> Now to prod the proftpd folks > > I was testing sshd when the user's sftp session is chrooted to see > how it behaves. Because of the safety design of the way sshd is > written, its not possible to do this out of the box. The person > would first need to create those files as root since the chroot > directory is not writeable by the user as explained in > http://www.gossamer-threads.com/lists/openssh/dev/44657 > > But if somehow the user is able to create those directories at the > top, or those directories are created ahead of time for the user > thats writeable by them, the bogus lib will and does run in the > user's context. > > I dont imagine this is common, but I am sure there is some > potential foot shooting going on. Looking at the scponly port, it > seems well aware of this based on the suggested setup. But again, > foot shooting could happen if the lib path is not secured > properly. > > Other than having /etc/nsswitch.conf, are there any other methods > that would trigger loading of shared libs in the chrooted > environment ? PAM and iconv (not enabled by default) come to mind. Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7hORAACgkQOfuToMruuMCzZACfSmhjQjXck5tQGbMWuKhnQvjo JuwAn2odZWw9Lw8nUqtbl8c2Jzysz/oc =QAvJ -----END PGP SIGNATURE-----