ftpd security issue ?
Mike Tancsa
mike at sentex.net
Mon Dec 5 19:45:09 UTC 2011
On 11/30/2011 8:16 PM, Xin LI wrote:
> On 11/30/11 17:01, Mike Tancsa wrote:
>> On 11/30/2011 7:01 PM, Xin LI wrote:
>>>
>>>> BTW. This vulnerability affects only configurations, where
>>>> /etc/ftpchroot exists or anonymous user is allowed to create
>>>> files inside etc and lib dirs.
>>>
>>> This doesn't seem to be typical configuration or no?
>
>> I think in shared hosting environments it would be somewhat common.
>> For annon ftp, I dont think the anon user would be able to create /
>> write to a lib directory.
>
>>>
>>> Will the attached patch fix the problem?
>>>
>>> (I think libc should just refuse /etc/nsswitch.conf and libraries
>>> if they are writable by others by the way)
>
>> It does not seem to prevent the issue for me. Using Przemyslaw
>> program's,
>
> Sorry I patched at the wrong place, this one should do.
>
> Note however this is not sufficient to fix the problem, for instance
> one can still upload .so's that run arbitrary code at his privilege,
> which has to be addressed in libc. I need some time to play around
> with libc to really fix this one.
Forgive the naive question, but is there a way to prevent a process (in
this case proftpd) from loading a .so if the session is in a chrooted
environment ? Or if at the start of the process, is there a way to
force the process to load a lib so that later on, it wont try and load
the "bad" lib ?
---Mike
--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
More information about the freebsd-security
mailing list