ports/61364: fspd:remote exploitable security hole

Radim Kolar hsn at netmag.cz
Wed Jan 14 17:10:21 UTC 2004 

>Number:         61364
>Category:       ports
>Synopsis:       fspd:remote exploitable security hole
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jan 14 09:10:13 PST 2004
>Closed-Date:
>Last-Modified:
>Originator:     Radim Kolar
>Release:        FreeBSD 5.2-RELEASE i386
>Organization:
Sanatana Dharma 
>Environment:
System: FreeBSD asura.bsd 5.2-RELEASE FreeBSD 5.2-RELEASE #0: Sat Jan 10 23:01:11 CET 2004 root at asura.bsd:/usr/src/sys/i386/compile/GENERIC i386

>Description:
ports/net/fspd 281b3 is a very old fsp daemon which is slow and has some major
security issues, so nobody should run this junk anymore. You can get
newer version from http://fsp.sourceforge.net/ and repackage it.
Current version is autoconfed. There will be fsp281b19 shortly which
has my 2-line patch for clean bsd compile.
 
It has two major security problem: 
1) root escape
2) buffer overflow when checking paths

>How-To-Repeat:
You can get independant fsp protocol stacks from fsp.sf.net and write
a nice exploits. FSPD can not be exploited using standard tools provided
with fsp of by fspclient. I had fsp exploit before, but after Debian group
update their fsp distribution, i have deleted them. I have send my exploit
to packetstormsecurity and Debian security team in December,
but they do not published it nor made announcement. I have no experience
with dealing with security holes but i had surpriced that both groups
ignored this problem. 

These funny path for root escape looks like /../../z/y/z. If i remmember
correctly fspd rejects pathes starting with dot so ../.. do not works. 

>Fix:
remove old junk asap from mirrors, upgrade port. Take a rest. FSP is a very usefull
thing, my ISP do not counts UDP in my month quota. FSP is about 3x slower
than TCP.

Radim Kolar
current maintainer of fsp protocol suite
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list