~/.login_conf mechanism is flawed
Janne Snabb
snabb at epipe.com
Tue Aug 10 10:02:42 UTC 2010
On Tue, 10 Aug 2010, Przemyslaw Frasunek wrote:
> This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE.
>
> 41673 sshd CALL setuid(0xbb8)
> 41673 sshd RET setuid 0
> 41673 sshd CALL seteuid(0xbb8)
> 41673 sshd RET seteuid 0
> 41673 sshd NAMI "/home/venglin/.login_conf"
> 41673 sshd NAMI "/home/venglin/.login_conf.db"
> 41673 sshd NAMI "/home/venglin/.login_conf.db"
The above actually seems correct to me. Both uid and euid are set
before accessing the capabilities. On 8.1-RELEASE this is different,
only euid is set to the user (to make it possible to access this
file if the home directory happens to be NFS mounted without root
access?).
> 41513 ftpd CALL seteuid(0xbb8)
> 41513 ftpd RET seteuid 0
> 41513 ftpd NAMI "/home/venglin/.login_conf"
> 41513 ftpd NAMI "/home/venglin/.login_conf.db"
> 41513 ftpd NAMI "/home/venglin/.login_conf.db"
This is clearly wrong, it is still possible to change euid back to 0.
It is still possible to setrlimit() anything.
> Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed
> to read any file in system with root privileges:
>
> http://marc.info/?l=bugtraq&m=100101802423376&w=2
Hehe... I was about to try out this one next.
--
Janne Snabb / EPIPE Communications
snabb at epipe.com - http://epipe.com/
More information about the freebsd-security
mailing list