Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 24 Apr 2001 10:00:44 +0800
From:      Victor Sudakov <sudakov@sibptus.tomsk.ru>
To:        Crist Clark <crist.clark@globalstar.com>
Cc:        Dag-Erling Smorgrav <des@ofug.org>, freebsd-security@FreeBSD.ORG
Subject:   Re: Q: Impact of globbing vulnerability in ftpd
Message-ID:  <20010424100044.B40591@sibptus.tomsk.ru>
In-Reply-To: <3AE45EAC.18A180EE@globalstar.com>; from crist.clark@globalstar.com on Mon, Apr 23, 2001 at 09:56:12AM -0700
References:  <20010423111632.B17342@sibptus.tomsk.ru> <xzpitjvgbub.fsf@flood.ping.uio.no> <20010423190737.A25969@sibptus.tomsk.ru> <xzpae57fyzl.fsf@flood.ping.uio.no> <3AE45EAC.18A180EE@globalstar.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Apr 23, 2001 at 09:56:12AM -0700, Crist Clark wrote:
> Dag-Erling Smorgrav wrote:
> > 
> > Victor Sudakov <sudakov@sibptus.tomsk.ru> writes:
> > > On Mon, Apr 23, 2001 at 12:16:44PM +0200, Dag-Erling Smorgrav wrote:
> > > > > As far as I understand, it can be exploited only after a user has
> > > > > logged in, so ftpd is already chrooted
> > > > Not necessarily.
> > > Anonymous account is always chrooted. I think you have to play
> > > with the source to disable this.
> > 
> > The logged-in user is not necessarily anonymous.
> > 
> > > > Run arbitrary code on the target machine, which may perform operations
> > > > (such as creating new directories to store warez) which the FTP server
> > > > normally doesn't allow the user to perform,
> > > How is this possible if ftpd drops root privileges after
> > > successful login?
> > 
> > I didn't claim the code would run as root.  It would run as the
> > logged-in user, or user "ftp" in case of an anonymous login.
> 
> The FTP daemon does _NOT_ drop privileges. It changes effective user
> ID only. (Do a 'ps -axo pid,command,user,ruser | grep ftpd' on a running 
> daemon.)

I see.

> 
> > > So, if the users already have shell accounts, this security hole
> > > does not matter for me, does it?
> > 
> > Probably not.  Depends on your anonftp setup.
> 
> Privilege escalation is possible whenever an FTP daemon can be fed
> arbitrary code to execute.

Do you know of any exploits that can run arbitrary code via ftpd
not with the euid of the user (possible anonymous) , but with root privileges?

-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/149@fidonet http://vas.tomsk.ru/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010424100044.B40591>