Re: ~/.login_conf mechanism is flawed

---

• From: Przemyslaw Frasunek <przemyslaw@xxxxxxxxxxxx>
• Date: Tue, 10 Aug 2010 11:45:13 +0200

---

What I found especially worrying is that this user-supplied untrustable
file is being parsed and processed by various daemons and other
login mechanisms BEFORE permanently dropping root privileges. Unless
there is a very strong reason, which I am overlooking, to do so, I
find this design very flawed.

This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE.

41673 sshd CALL setuid(0xbb8)
41673 sshd RET setuid 0
41673 sshd CALL seteuid(0xbb8)
41673 sshd RET seteuid 0
41673 sshd NAMI "/home/venglin/.login_conf"
41673 sshd NAMI "/home/venglin/.login_conf.db"
41673 sshd NAMI "/home/venglin/.login_conf.db"

41513 ftpd CALL seteuid(0xbb8)
41513 ftpd RET seteuid 0
41513 ftpd NAMI "/home/venglin/.login_conf"
41513 ftpd NAMI "/home/venglin/.login_conf.db"
41513 ftpd NAMI "/home/venglin/.login_conf.db"

Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed
to read any file in system with root privileges:

http://marc.info/?l=bugtraq&m=100101802423376&w=2

Since then, elevated privileges are dropped before parsing login_conf.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@xxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

---

• Follow-Ups:
  • Re: ~/.login_conf mechanism is flawed
    • From: Dag-Erling Smørgrav
  • Re: ~/.login_conf mechanism is flawed
    • From: Janne Snabb

• References:
  • ~/.login_conf mechanism is flawed
    • From: Janne Snabb

• Prev by Date: ~/.login_conf mechanism is flawed
• Next by Date: Re: ~/.login_conf mechanism is flawed
• Previous by thread: ~/.login_conf mechanism is flawed
• Next by thread: Re: ~/.login_conf mechanism is flawed
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [Full-Disclosure] Automated SSH login attempts? ... I also seen since July 22nd, bruteforce login attempts on ftpd (proftpd) from ... same ip ranges. ... And like you some attempts in sshd. ... (Full-Disclosure) Re: Pros and Cons of running under inetd.... ... I run sshd and ftpd on my laptop. ... ftpd does not heed hosts.allow directives when NOT run via inetd. ... (freebsd-questions) Re: Pros and Cons of running under inetd.... ... I run sshd and ftpd on my laptop. ... ftpd does not heed hosts.allow directives when NOT run via inetd. ... I prefer to use tcpwrappers to further protect my sshd and ftpd. ... (freebsd-questions) RE: SSHD and FTPD, cant connect ... Or if you just try telnet server.ip 22 do you get anything back? ... SSHD and FTPD, can't connect ... I can ping the box and use the Apache and telnet daemons, ... (freebsd-stable) RE: SSHD and FTPD, cant connect ... SSHD and FTPD, can't connect ... I can ping the box and use the Apache and telnet daemons, ... To unsubscribe, ... (freebsd-stable)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > FreeBSD-Security  > 2010-08