ftpd security issue ?

Xin LI delphij at delphij.net
Thu Dec 1 00:01:11 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/30/11 13:09, Przemyslaw Frasunek wrote:
>> Saw this on FD... Anyone know any more details about this ? 
>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html
>
>> 
> This is a well known hazard of chrooting to directories controlled
> by unprivileged users. In this case, vulnerability exists because
> ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is
> issued, and nss_compat.so is loaded by libc regardless of elevated
> privileges.
> 
> This can be proven by creating dummy ~/lib/nss_compat.so.1:
> 
> [venglin at lagoon ~/lib]$ cat dummy.c #include <stdio.h> #include
> <fcntl.h>
> 
> void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d
> %d\n", getuid(), geteuid()); } [venglin at lagoon ~/lib]$ cc -o
> dummy.o -c dummy.c -fPIC [venglin at lagoon ~/lib]$ cc -shared
> -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles 
> [venglin at lagoon ~/lib]$ mv dummy.so nss_compat.so.1
> 
> And after calling STAT command:
> 
> [venglin at lagoon ~/lib]$ cat ~/asdf 0 3000
> 
> BTW. This vulnerability affects only configurations, where
> /etc/ftpchroot exists or anonymous user is allowed to create files
> inside etc and lib dirs.

This doesn't seem to be typical configuration or no?

Will the attached patch fix the problem?

(I think libc should just refuse /etc/nsswitch.conf and libraries if
they are writable by others by the way)

Cheers,
- -- 
Xin LI <delphij at delphij.net>	https://www.delphij.net/
FreeBSD - The Power to Serve!		Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQEcBAEBCAAGBQJO1sPFAAoJEATO+BI/yjfBe+kIANGf3sEKV2iEXnhOEzEJkQFr
qOm5niYdxwrnmQ4tjU19Ny+RZ5C9QyIcsvZeYJHLY3AvHGcxKCDc+BfAqHvBbxqF
JC1/CbdnflUp3VpNnTvXIkN1/upcZXRU9BmVOXHYg7Ycqrqhom7+57hza2zSZxHO
UlKXzLD3O3NIPMgkliJ9YwpsNr4dDrpCItVddWC3yENV33Qc9rOFLMzlwP6qk5Ib
XxzCHqg7nNioKDZ0KUeFsSEtk7xT6l5nmRIGQz+YN4CyLWjuZf5EspZSha5VFwwO
H+VSvl339AMJDRMUa2g4mLbjpHjYyZAPw+fM+SxPuC4Js1MrhkseZLPAQeoaEWg=
=wDbK
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: libexec/ftpd/popen.c
===================================================================
--- libexec/ftpd/popen.c	(revision 228156)
+++ libexec/ftpd/popen.c	(working copy)
@@ -157,6 +157,7 @@ ftpd_popen(char *program, char *type)
 			}
 			exit(ls_main(gargc, gargv));
 		}
+		setuid(geteuid());
 		execv(gargv[0], gargv);
 		_exit(1);
 	}

More information about the freebsd-security mailing list