From owner-freebsd-security@FreeBSD.ORG Thu Dec 1 00:01:11 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7ECB11065679; Thu, 1 Dec 2011 00:01:11 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from anubis.delphij.net (anubis.delphij.net [IPv6:2001:470:1:117::25]) by mx1.freebsd.org (Postfix) with ESMTP id 60EA58FC17; Thu, 1 Dec 2011 00:01:11 +0000 (UTC) Received: from delta.delphij.net (drawbridge.ixsystems.com [206.40.55.65]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id 0C88BE4B4; Wed, 30 Nov 2011 16:01:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1322697671; bh=LLamM2fTKKrTE/G/L3h8iYACQg1ZCdduD65wZ6cps3Q=; h=Message-ID:Date:From:Reply-To:MIME-Version:To:CC:Subject: References:In-Reply-To:Content-Type; b=GK1ZFVK88MaY3fnPqRpdnbGXdgQdVkmJYbXtAGKjj8JK15rVPlES2VMcuoUYzGBQq C1mfN0nDXrD/wDMZzJB0/IKsWXoU2V+uOHSRvhkUHDh9o2TUr2iT/heiMme0JxvKdb LIeVnV7CQ/UMJN+LzseY19L1DC/tG+vggIaqx6iY= Message-ID: <4ED6C3C6.5030402@delphij.net> Date: Wed, 30 Nov 2011 16:01:10 -0800 From: Xin LI Organization: The FreeBSD Project MIME-Version: 1.0 To: Przemyslaw Frasunek References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com> In-Reply-To: <4ED69B7E.50505@frasunek.com> OpenPGP: id=3FCA37C1; url=http://www.delphij.net/delphij.asc Content-Type: multipart/mixed; boundary="------------080501020601020809040406" Cc: "freebsd-security@freebsd.org" Subject: Re: ftpd security issue ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Dec 2011 00:01:11 -0000 This is a multi-part message in MIME format. --------------080501020601020809040406 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/30/11 13:09, Przemyslaw Frasunek wrote: >> Saw this on FD... Anyone know any more details about this ? >> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html > >> > This is a well known hazard of chrooting to directories controlled > by unprivileged users. In this case, vulnerability exists because > ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is > issued, and nss_compat.so is loaded by libc regardless of elevated > privileges. > > This can be proven by creating dummy ~/lib/nss_compat.so.1: > > [venglin@lagoon ~/lib]$ cat dummy.c #include #include > > > void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d > %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o > dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared > -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles > [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1 > > And after calling STAT command: > > [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000 > > BTW. This vulnerability affects only configurations, where > /etc/ftpchroot exists or anonymous user is allowed to create files > inside etc and lib dirs. This doesn't seem to be typical configuration or no? Will the attached patch fix the problem? (I think libc should just refuse /etc/nsswitch.conf and libraries if they are writable by others by the way) Cheers, - -- Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJO1sPFAAoJEATO+BI/yjfBe+kIANGf3sEKV2iEXnhOEzEJkQFr qOm5niYdxwrnmQ4tjU19Ny+RZ5C9QyIcsvZeYJHLY3AvHGcxKCDc+BfAqHvBbxqF JC1/CbdnflUp3VpNnTvXIkN1/upcZXRU9BmVOXHYg7Ycqrqhom7+57hza2zSZxHO UlKXzLD3O3NIPMgkliJ9YwpsNr4dDrpCItVddWC3yENV33Qc9rOFLMzlwP6qk5Ib XxzCHqg7nNioKDZ0KUeFsSEtk7xT6l5nmRIGQz+YN4CyLWjuZf5EspZSha5VFwwO H+VSvl339AMJDRMUa2g4mLbjpHjYyZAPw+fM+SxPuC4Js1MrhkseZLPAQeoaEWg= =wDbK -----END PGP SIGNATURE----- --------------080501020601020809040406 Content-Type: text/plain; name="popen.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="popen.diff" Index: libexec/ftpd/popen.c =================================================================== --- libexec/ftpd/popen.c (revision 228156) +++ libexec/ftpd/popen.c (working copy) @@ -157,6 +157,7 @@ ftpd_popen(char *program, char *type) } exit(ls_main(gargc, gargv)); } + setuid(geteuid()); execv(gargv[0], gargv); _exit(1); } --------------080501020601020809040406--