Date: Sun, 18 Feb 2018 17:24:07 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 226004] tftpd: with relative pathnames, tftpd doesn't validate world writability Message-ID: <bug-226004-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226004 Bug ID: 226004 Summary: tftpd: with relative pathnames, tftpd doesn't validate world writability Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: asomers@FreeBSD.org tftpd(8)'s man page says that files may be written only if they already exist and are publicly writable. However, it doesn't correctly validate public writability when given a relative pathname. In validate_access at line 746, it checks for the S_IROTH bit, regardless of the mode. It should check for S_IWOTH when the mode is WRQ. Steps to reproduce: 1) In inetd.conf, ensure that the "-s" option is lacking 2) In an authorized directory (such as /tftpboot), create a file named "world_readable" with mode 444 3) From a client, create a file named foo.txt and do "echo put foo.txt world_readable | tftp <hostname>" 4) Check the server's /var/log/xferlog. It should show something like this: Feb 17 21:49:37 fbsd12 tftpd[1512]: Filename: 'world_readable' Feb 17 21:49:37 fbsd12 tftpd[1512]: Mode: 'netascii' Feb 17 21:49:37 fbsd12 tftpd[1512]: 192.168.0.16: write request for /tmp/tftpboot/world_readable: success Note that this is not a security vulnerability, because the transfer ultimately doesn't work unless the file already exists and is owned by user nobody. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-226004-8>