Date: Tue, 10 Aug 2010 11:45:13 +0200 From: Przemyslaw Frasunek <przemyslaw@frasunek.com> To: freebsd-security@freebsd.org Subject: Re: ~/.login_conf mechanism is flawed Message-ID: <4C611FA9.6070409@frasunek.com> In-Reply-To: <alpine.BSF.2.00.1008100841350.96753@tiktik.epipe.com>
index | next in thread | previous in thread | raw e-mail
> What I found especially worrying is that this user-supplied untrustable > file is being parsed and processed by various daemons and other > login mechanisms BEFORE permanently dropping root privileges. Unless > there is a very strong reason, which I am overlooking, to do so, I > find this design very flawed. This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE. 41673 sshd CALL setuid(0xbb8) 41673 sshd RET setuid 0 41673 sshd CALL seteuid(0xbb8) 41673 sshd RET seteuid 0 41673 sshd NAMI "/home/venglin/.login_conf" 41673 sshd NAMI "/home/venglin/.login_conf.db" 41673 sshd NAMI "/home/venglin/.login_conf.db" 41513 ftpd CALL seteuid(0xbb8) 41513 ftpd RET seteuid 0 41513 ftpd NAMI "/home/venglin/.login_conf" 41513 ftpd NAMI "/home/venglin/.login_conf.db" 41513 ftpd NAMI "/home/venglin/.login_conf.db" Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed to read any file in system with root privileges: http://marc.info/?l=bugtraq&m=100101802423376&w=2 Since then, elevated privileges are dropped before parsing login_conf. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C611FA9.6070409>