From owner-freebsd-security Mon Apr 23 9:56:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 9092A37B424 for ; Mon, 23 Apr 2001 09:56:13 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GC98D300.QK6; Mon, 23 Apr 2001 09:55:51 -0700 Message-ID: <3AE45EAC.18A180EE@globalstar.com> Date: Mon, 23 Apr 2001 09:56:12 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Victor Sudakov , freebsd-security@FreeBSD.ORG Subject: Re: Q: Impact of globbing vulnerability in ftpd References: <20010423111632.B17342@sibptus.tomsk.ru> <20010423190737.A25969@sibptus.tomsk.ru> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > Victor Sudakov writes: > > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote: > > > > As far as I understand, it can be exploited only after a user has > > > > logged in, so ftpd is already chrooted > > > Not necessarily. > > Anonymous account is always chrooted. I think you have to play > > with the source to disable this. > > The logged-in user is not necessarily anonymous. > > > > Run arbitrary code on the target machine, which may perform operations > > > (such as creating new directories to store warez) which the FTP server > > > normally doesn't allow the user to perform, > > How is this possible if ftpd drops root privileges after > > successful login? > > I didn't claim the code would run as root. It would run as the > logged-in user, or user "ftp" in case of an anonymous login. The FTP daemon does _NOT_ drop privileges. It changes effective user ID only. (Do a 'ps -axo pid,command,user,ruser | grep ftpd' on a running daemon.) > > So, if the users already have shell accounts, this security hole > > does not matter for me, does it? > > Probably not. Depends on your anonftp setup. Privilege escalation is possible whenever an FTP daemon can be fed arbitrary code to execute. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message