From owner-freebsd-security  Mon Apr 23  4:12:51 2001
Delivered-To: freebsd-security@freebsd.org
Received: from sibptus.tomsk.ru (sibptus.tomsk.ru [213.59.238.16])
	by hub.freebsd.org (Postfix) with ESMTP id E08B937B42C
	for <freebsd-security@freebsd.org>; Mon, 23 Apr 2001 04:12:46 -0700 (PDT)
	(envelope-from sudakov@sibptus.tomsk.ru)
Received: (from sudakov@localhost)
	by sibptus.tomsk.ru (8.9.3/8.9.3) id TAA26099;
	Mon, 23 Apr 2001 19:07:37 +0800 (KRAST)
	(envelope-from sudakov)
Date: Mon, 23 Apr 2001 19:07:37 +0800
From: Victor Sudakov <sudakov@sibptus.tomsk.ru>
To: Dag-Erling Smorgrav <des@ofug.org>
Cc: freebsd-security@freebsd.org
Subject: Re: Q: Impact of globbing vulnerability in ftpd
Message-ID: <20010423190737.A25969@sibptus.tomsk.ru>
References: <20010423111632.B17342@sibptus.tomsk.ru> <xzpitjvgbub.fsf@flood.ping.uio.no>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <xzpitjvgbub.fsf@flood.ping.uio.no>; from des@ofug.org on Mon, Apr 23, 2001 at 12:16:44PM +0200
Organization: AO "Svyaztransneft", SibPTUS
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote:
> > I do not quite understand the impact of the globbing vulnerability.
> 
> There was an exploitable buffer overflow in the globbing code.
> 
> > As far as I understand, it can be exploited only after a user has
> > logged in, so ftpd is already chrooted
> 
> Not necessarily.

Anonymous account is always chrooted. I think you have to play
with the source to disable this.

> 
> >                                        and running with the uid of
> > the user at the moment.  What serious trouble can an attacker
> > cause under these conditions?
> 
> Run arbitrary code on the target machine, which may perform operations
> (such as creating new directories to store warez) which the FTP server
> normally doesn't allow the user to perform, 

How is this possible if ftpd drops root privileges after
successful login?

> or even exploit a local
> root compromise.
> 

So, if the users already have shell accounts, this security hole
does not matter for me, does it?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/149@fidonet http://vas.tomsk.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message