Re: ~/.login_conf mechanism is flawed



What I found especially worrying is that this user-supplied untrustable
file is being parsed and processed by various daemons and other
login mechanisms BEFORE permanently dropping root privileges. Unless
there is a very strong reason, which I am overlooking, to do so, I
find this design very flawed.

This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE.

41673 sshd CALL setuid(0xbb8)
41673 sshd RET setuid 0
41673 sshd CALL seteuid(0xbb8)
41673 sshd RET seteuid 0
41673 sshd NAMI "/home/venglin/.login_conf"
41673 sshd NAMI "/home/venglin/.login_conf.db"
41673 sshd NAMI "/home/venglin/.login_conf.db"

41513 ftpd CALL seteuid(0xbb8)
41513 ftpd RET seteuid 0
41513 ftpd NAMI "/home/venglin/.login_conf"
41513 ftpd NAMI "/home/venglin/.login_conf.db"
41513 ftpd NAMI "/home/venglin/.login_conf.db"

Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed
to read any file in system with root privileges:

http://marc.info/?l=bugtraq&m=100101802423376&w=2

Since then, elevated privileges are dropped before parsing login_conf.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@xxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: [Full-Disclosure] Automated SSH login attempts?
    ... I also seen since July 22nd, bruteforce login attempts on ftpd (proftpd) from ... same ip ranges. ... And like you some attempts in sshd. ...
    (Full-Disclosure)
  • Re: Pros and Cons of running under inetd....
    ... I run sshd and ftpd on my laptop. ... ftpd does not heed hosts.allow directives when NOT run via inetd. ...
    (freebsd-questions)
  • Re: Pros and Cons of running under inetd....
    ... I run sshd and ftpd on my laptop. ... ftpd does not heed hosts.allow directives when NOT run via inetd. ... I prefer to use tcpwrappers to further protect my sshd and ftpd. ...
    (freebsd-questions)
  • RE: SSHD and FTPD, cant connect
    ... Or if you just try telnet server.ip 22 do you get anything back? ... SSHD and FTPD, can't connect ... I can ping the box and use the Apache and telnet daemons, ...
    (freebsd-stable)
  • RE: SSHD and FTPD, cant connect
    ... SSHD and FTPD, can't connect ... I can ping the box and use the Apache and telnet daemons, ... To unsubscribe, ...
    (freebsd-stable)