From owner-freebsd-security Mon Apr 23 3:16:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3BBBE37B423 for ; Mon, 23 Apr 2001 03:16:47 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA57309; Mon, 23 Apr 2001 12:16:45 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Victor Sudakov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> From: Dag-Erling Smorgrav Date: 23 Apr 2001 12:16:44 +0200 In-Reply-To: <20010423111632.B17342@sibptus.tomsk.ru> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Victor Sudakov writes: > I do not quite understand the impact of the globbing vulnerability. There was an exploitable buffer overflow in the globbing code. > As far as I understand, it can be exploited only after a user has > logged in, so ftpd is already chrooted Not necessarily. > and running with the uid of > the user at the moment. What serious trouble can an attacker > cause under these conditions? Run arbitrary code on the target machine, which may perform operations (such as creating new directories to store warez) which the FTP server normally doesn't allow the user to perform, or even exploit a local root compromise. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message