Re: ftpd security issue ?

Wed, 30 Nov 2011 16:02:30 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/30/11 13:09, Przemyslaw Frasunek wrote:
>> Saw this on FD... Anyone know any more details about this ? 
>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html
>
>> 
> This is a well known hazard of chrooting to directories controlled
> by unprivileged users. In this case, vulnerability exists because
> ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is
> issued, and nss_compat.so is loaded by libc regardless of elevated
> privileges.
> 
> This can be proven by creating dummy ~/lib/nss_compat.so.1:
> 
> [venglin@lagoon ~/lib]$ cat dummy.c #include <stdio.h> #include
> <fcntl.h>
> 
> void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d
> %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o
> dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared
> -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles 
> [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1
> 
> And after calling STAT command:
> 
> [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000
> 
> BTW. This vulnerability affects only configurations, where
> /etc/ftpchroot exists or anonymous user is allowed to create files
> inside etc and lib dirs.

This doesn't seem to be typical configuration or no?

Will the attached patch fix the problem?

(I think libc should just refuse /etc/nsswitch.conf and libraries if
they are writable by others by the way)

Cheers,
- -- 
Xin LI <delp...@delphij.net>    https://www.delphij.net/
FreeBSD - The Power to Serve!           Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQEcBAEBCAAGBQJO1sPFAAoJEATO+BI/yjfBe+kIANGf3sEKV2iEXnhOEzEJkQFr
qOm5niYdxwrnmQ4tjU19Ny+RZ5C9QyIcsvZeYJHLY3AvHGcxKCDc+BfAqHvBbxqF
JC1/CbdnflUp3VpNnTvXIkN1/upcZXRU9BmVOXHYg7Ycqrqhom7+57hza2zSZxHO
UlKXzLD3O3NIPMgkliJ9YwpsNr4dDrpCItVddWC3yENV33Qc9rOFLMzlwP6qk5Ib
XxzCHqg7nNioKDZ0KUeFsSEtk7xT6l5nmRIGQz+YN4CyLWjuZf5EspZSha5VFwwO
H+VSvl339AMJDRMUa2g4mLbjpHjYyZAPw+fM+SxPuC4Js1MrhkseZLPAQeoaEWg=
=wDbK
-----END PGP SIGNATURE-----

Index: libexec/ftpd/popen.c
===================================================================
--- libexec/ftpd/popen.c        (revision 228156)
+++ libexec/ftpd/popen.c        (working copy)
@@ -157,6 +157,7 @@ ftpd_popen(char *program, char *type)
                        }
                        exit(ls_main(gargc, gargv));
                }
+               setuid(geteuid());
                execv(gargv[0], gargv);
                _exit(1);
        }

_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"

Reply via email to