IMPORTANT FOR lukemftpd USERS (was Re: FreeBSD Security Advisory
FreeBSD-SA-03:08.realpath)
Jacques A. Vidrine
nectar at FreeBSD.org
Mon Aug 4 15:35:13 PDT 2003
On Sun, Aug 03, 2003 at 05:04:31PM -0700, FreeBSD Security Advisories wrote:
> (1) lukemftpd(8), an alternative FTP server: realpath(3) is used to
> process the MLST and MLSD commands. [lukemftpd(8) is not built or
> installed by default.]
[...]
> the realpath(3) vulnerability may be
> exploitable, leading to arbitrary code execution with the privileges
> of the authenticated user. This is probably only of concern on
> otherwise `closed' servers, e.g. servers without shell access.
[...]
I have a correction to make regarding the above text. In the case of
lukemftpd (and lukemftpd only), in some situations the vulnerability
may be used to execute code with _superuser privileges_.
If lukemftpd is NOT invoked with `-r', then it does NOT completely
drop privileges when a user logs in. Thus, a successful exploit will
be able to regain superuser privileges.
Conversely, if lukemftpd IS invoked with `-r', then the original
advisory text above applies.
The example usage for lukemftpd that was in /etc/inetd.conf prior to
5.1-RELEASE included the `-r' flag, but there is no longer an example
in 5.1-RELEASE. I don't think there was ever an example entry for
4.x.
I would normally immediately publish a revised advisory with this
additional information, however lukemftpd is neither built nor
installed by default. Since that is the case, I will probably wait a
few days before revision in case further useful information comes to
light.
Cheers,
--
Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal
nectar at celabo.org . jvidrine at verio.net . nectar at freebsd.org . nectar at kth.se
More information about the freebsd-security
mailing list