Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Apr 2001 19:07:37 +0800
From:      Victor Sudakov <sudakov@sibptus.tomsk.ru>
To:        Dag-Erling Smorgrav <des@ofug.org>
Cc:        freebsd-security@freebsd.org
Subject:   Re: Q: Impact of globbing vulnerability in ftpd
Message-ID:  <20010423190737.A25969@sibptus.tomsk.ru>
In-Reply-To: <xzpitjvgbub.fsf@flood.ping.uio.no>; from des@ofug.org on Mon, Apr 23, 2001 at 12:16:44PM %2B0200
References:  <20010423111632.B17342@sibptus.tomsk.ru> <xzpitjvgbub.fsf@flood.ping.uio.no>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote:
> > I do not quite understand the impact of the globbing vulnerability.
> 
> There was an exploitable buffer overflow in the globbing code.
> 
> > As far as I understand, it can be exploited only after a user has
> > logged in, so ftpd is already chrooted
> 
> Not necessarily.

Anonymous account is always chrooted. I think you have to play
with the source to disable this.

> 
> >                                        and running with the uid of
> > the user at the moment.  What serious trouble can an attacker
> > cause under these conditions?
> 
> Run arbitrary code on the target machine, which may perform operations
> (such as creating new directories to store warez) which the FTP server
> normally doesn't allow the user to perform, 

How is this possible if ftpd drops root privileges after
successful login?

> or even exploit a local
> root compromise.
> 

So, if the users already have shell accounts, this security hole
does not matter for me, does it?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/149@fidonet http://vas.tomsk.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010423190737.A25969>