From owner-freebsd-security@FreeBSD.ORG Tue Aug 10 10:02:42 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8297106566C for ; Tue, 10 Aug 2010 10:02:42 +0000 (UTC) (envelope-from snabb@epipe.com) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1]) by mx1.freebsd.org (Postfix) with ESMTP id 495AE8FC24 for ; Tue, 10 Aug 2010 10:02:42 +0000 (UTC) Received: from tiktik.epipe.com (tiktik.epipe.com [IPv6:2001:470:8940:10::1]) by tiktik.epipe.com (8.14.4/8.14.4) with ESMTP id o7AA2ZK3024953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 10 Aug 2010 10:02:35 GMT (envelope-from snabb@epipe.com) X-DKIM: Sendmail DKIM Filter v2.8.3 tiktik.epipe.com o7AA2ZK3024953 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=epipe.com; s=default; t=1281434555; x=1282039355; bh=sBgSMP9x0VB6A/efY6cB09Q0r0tU+on7xGZnybwMV9Y=; h=Date:From:To:cc:Subject:In-Reply-To:Message-ID:References: MIME-Version:Content-Type; b=TdwVe4H22KuT5Cc/KilmPuS4c10469jpAbHb3X3LjsY/EEnXeWybA9g10jfRkFpkI lrU+xIFZ6h3083n11wxKw3AAzfWUOCAs031aq8P6iEhp7SmnbEowvn7oOeIiPkT7aa SNDB91eFHYQmEoVy6qJV6SeXh/RrzfELGmM0J3oY= Date: Tue, 10 Aug 2010 10:02:35 +0000 (UTC) From: Janne Snabb To: Przemyslaw Frasunek In-Reply-To: <4C611FA9.6070409@frasunek.com> Message-ID: References: <4C611FA9.6070409@frasunek.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-security@freebsd.org Subject: Re: ~/.login_conf mechanism is flawed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Aug 2010 10:02:42 -0000 On Tue, 10 Aug 2010, Przemyslaw Frasunek wrote: > This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE. > > 41673 sshd CALL setuid(0xbb8) > 41673 sshd RET setuid 0 > 41673 sshd CALL seteuid(0xbb8) > 41673 sshd RET seteuid 0 > 41673 sshd NAMI "/home/venglin/.login_conf" > 41673 sshd NAMI "/home/venglin/.login_conf.db" > 41673 sshd NAMI "/home/venglin/.login_conf.db" The above actually seems correct to me. Both uid and euid are set before accessing the capabilities. On 8.1-RELEASE this is different, only euid is set to the user (to make it possible to access this file if the home directory happens to be NFS mounted without root access?). > 41513 ftpd CALL seteuid(0xbb8) > 41513 ftpd RET seteuid 0 > 41513 ftpd NAMI "/home/venglin/.login_conf" > 41513 ftpd NAMI "/home/venglin/.login_conf.db" > 41513 ftpd NAMI "/home/venglin/.login_conf.db" This is clearly wrong, it is still possible to change euid back to 0. It is still possible to setrlimit() anything. > Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed > to read any file in system with root privileges: > > http://marc.info/?l=bugtraq&m=100101802423376&w=2 Hehe... I was about to try out this one next. -- Janne Snabb / EPIPE Communications snabb@epipe.com - http://epipe.com/