From owner-freebsd-security@FreeBSD.ORG Mon Dec 5 19:49:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 131D2106564A for ; Mon, 5 Dec 2011 19:49:00 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id EB3808FC08 for ; Mon, 5 Dec 2011 19:48:59 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 781C830CF; Mon, 5 Dec 2011 11:48:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1323114539; bh=P70wvtdvZOm4m3dbLUItIcB4ZR/cuhNyH1ATVUcPXDE=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type:Content-Transfer-Encoding; b=aPOtOr27P3tmEGN5sQKMLzz8xDj1Q+2wOUZgGVzEoSMVxl9KYP9jSHKjFQrPQtdKp 0g+AB5B885lD5K7vKNQOpx5P1Bh46IaZTvsU9SCv5iuBLLmuEnMqNrRElRblrttVQr pzU7fyMd/MQC6dVKKj1zyq2UPZAq3LJKIWo1R3Bw= Message-ID: <4EDD2027.9030807@delphij.net> Date: Mon, 05 Dec 2011 11:48:55 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: Mike Tancsa References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> <4ED6C3C6.5030402@delphij.net> <4ED6D1CD.9080700@sentex.net> <4ED6D577.9010007@delphij.net> <4EDD1F2F.20802@sentex.net> In-Reply-To: <4EDD1F2F.20802@sentex.net> X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-security@freebsd.org" , d@delphij.net, Przemyslaw Frasunek Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Dec 2011 19:49:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/05/11 11:44, Mike Tancsa wrote: > On 11/30/2011 8:16 PM, Xin LI wrote: >> On 11/30/11 17:01, Mike Tancsa wrote: >>> On 11/30/2011 7:01 PM, Xin LI wrote: >>>> >>>>> BTW. This vulnerability affects only configurations, where >>>>> /etc/ftpchroot exists or anonymous user is allowed to >>>>> create files inside etc and lib dirs. >>>> >>>> This doesn't seem to be typical configuration or no? >> >>> I think in shared hosting environments it would be somewhat >>> common. For annon ftp, I dont think the anon user would be able >>> to create / write to a lib directory. >> >>>> >>>> Will the attached patch fix the problem? >>>> >>>> (I think libc should just refuse /etc/nsswitch.conf and >>>> libraries if they are writable by others by the way) >> >>> It does not seem to prevent the issue for me. Using >>> Przemyslaw program's, >> >> Sorry I patched at the wrong place, this one should do. >> >> Note however this is not sufficient to fix the problem, for >> instance one can still upload .so's that run arbitrary code at >> his privilege, which has to be addressed in libc. I need some >> time to play around with libc to really fix this one. > > Forgive the naive question, but is there a way to prevent a process > (in this case proftpd) from loading a .so if the session is in a > chrooted environment ? Or if at the start of the process, is there > a way to force the process to load a lib so that later on, it wont > try and load the "bad" lib ? Currently no (I thought you were in the cc list in my discussion with kib@?). My initial plan was simply rejecting .so's with wrong permissions but in the discussion turns out that would not be sufficient and we have also considered other ways to do it, e.g. have a wrapper where one can disable them completely. I have not a full solution yet as the change would touch quite a lot of things in the base system... - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk7dICcACgkQOfuToMruuMCwmQCcDggWC5xvH1dik8i55KQXVaQq ZtEAn0OCbzspSS2sKfOs1MsDHc9mw2su =pxAJ -----END PGP SIGNATURE-----