From owner-freebsd-security@FreeBSD.ORG Thu Dec 29 19:10:37 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC19D1065670; Thu, 29 Dec 2011 19:10:37 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-tul01m020-f182.google.com (mail-tul01m020-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id 97D408FC15; Thu, 29 Dec 2011 19:10:37 +0000 (UTC) Received: by obbwd18 with SMTP id wd18so14637081obb.13 for ; Thu, 29 Dec 2011 11:10:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=g9zSVYANCNJ7bSc+tcA+NLJqC880IgZygT9GMpO2KVI=; b=qVCizch/K0bsU8ZucP6riYOgVcW/bX1izzV8lbYVtzg2emg0ODntXoBSR/tPofhIJW QfZWSKBIU6k4tlCDzTFoN0xhKgbxnKxW/cTBKAj8ZaKCef2AsKCjs3aKcGmf2ZbFrZC7 hZLWS/mrbC9vuQgbSJMinZV3lKcIao9GzRuIg= MIME-Version: 1.0 Received: by 10.182.76.134 with SMTP id k6mr23802170obw.10.1325185837182; Thu, 29 Dec 2011 11:10:37 -0800 (PST) Received: by 10.182.67.163 with HTTP; Thu, 29 Dec 2011 11:10:37 -0800 (PST) In-Reply-To: <201112291400.41075.jhb@freebsd.org> References: <201112231500.pBNF0c0O071712@svn.freebsd.org> <201112291343.02248.jhb@freebsd.org> <4EFCB4F1.2050500@delphij.net> <201112291400.41075.jhb@freebsd.org> Date: Thu, 29 Dec 2011 11:10:37 -0800 Message-ID: From: Xin LI To: John Baldwin Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Doug Barton Subject: Re: svn commit: r228843 - head/contrib/telnet/libtelnet head/crypto/heimdal/appl/telnet/libtelnet head/include head/lib/libc/gen head/lib/libc/iconv head/lib/libc/include head/lib/libc/net head/libexec... X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Dec 2011 19:10:38 -0000 On Thu, Dec 29, 2011 at 11:00 AM, John Baldwin wrote: > On Thursday, December 29, 2011 1:44:01 pm Xin Li wrote: >> On 12/29/11 10:43, John Baldwin wrote: >> > On Thursday, December 29, 2011 1:26:17 pm Xin Li wrote: >> >> On 12/29/11 06:39, John Baldwin wrote: >> >>> Can you give some more details on why ftpd is triggering a >> >>> dlopen inside of the chroot? =C2=A0It would appear that that is >> >>> unrelated to helper programs (since setting a flag in libc in >> >>> ftpd can't possibly affect helper programs ability to use >> >>> dlopen() from within libc). >> >> >> >> Sure. =C2=A0That's because nsdispatch(3) would reload >> >> /etc/nsswitch.conf if it notices a change. =C2=A0After chroot() the >> >> file is considered as "chang"ed and thus it reloads the file as >> >> well as designated shared libraries. >> > >> > But ftpd has to be doing some operation that invokes an nss lookup >> > after entering the chroot for that to trigger, correct? >> >> Oh ok, that was the built-in ls(1). > > Were we not able to drop privilege before doing that? =C2=A0I.e. if you > forked a new process that dropped privilege before doing the ls > (similar to if you were to exec /bin/ls as a helper), would that not > have fixed this? No, it won't. This is arbitrary code execution and not just privilege escalation :( Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die