Re: ftpd security issue ?



On 11/30/2011 8:37 PM, Mike Tancsa wrote:
On 11/30/2011 8:16 PM, Xin LI wrote:

Sorry I patched at the wrong place, this one should do.

Note however this is not sufficient to fix the problem, for instance
one can still upload .so's that run arbitrary code at his privilege,
which has to be addressed in libc. I need some time to play around
with libc to really fix this one.

Hi,
Yes, that looks better! With respect to users uploading .so files, I
guess why not just upload executables directly ? Although I suppose if
they are not allowed to execute anything, this would be a way around that.

Now to prod the proftpd folks

I was testing sshd when the user's sftp session is chrooted to see how
it behaves. Because of the safety design of the way sshd is written, its
not possible to do this out of the box. The person would first need to
create those files as root since the chroot directory is not writeable
by the user as explained in
http://www.gossamer-threads.com/lists/openssh/dev/44657

But if somehow the user is able to create those directories at the top,
or those directories are created ahead of time for the user thats
writeable by them, the bogus lib will and does run in the user's context.

I dont imagine this is common, but I am sure there is some potential
foot shooting going on. Looking at the scponly port, it seems well
aware of this based on the suggested setup. But again, foot shooting
could happen if the lib path is not secured properly.

Other than having /etc/nsswitch.conf, are there any other methods that
would trigger loading of shared libs in the chrooted environment ?

---Mike











--
-------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@xxxxxxxxxx
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • Re: ftpd security issue ?
    ... instance one can still upload .so's that run arbitrary code at ... time to play around with libc to really fix this one. ... would first need to create those files as root since the chroot ... the bogus lib will and does run in the ...
    (FreeBSD-Security)
  • Re: CTAN submission --- memoir class enhancements
    ... > o Fix and extension to verse typesetting ... > o Other minor fixes ... designed to support book production: ... Thanks for the upload. ...
    (comp.text.tex)
  • Re: /boot/loader Invalid Format
    ... if someone has freebsd release as you, let him upload it to a site, with ... then boot your computer with the fixit cd of freebsd ... (founded this trick out with a friend of mine who messed up her bootloader ... >> I've got a problem with my bootloader and i dont know how to fix it. ...
    (freebsd-hackers)
  • D: drive became read-only!
    ... unselecting the read-only option, and then hitting apply. ... Can anyone help me fix this? ... and although I'm sure the files are fine as they are I can't upload ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: uploading libraries to the emulator
    ... > programs there that use that lib. ... I then added a dependency from the ... I also added the makefile to the library project and created a custom build ... upload to happen, ...
    (microsoft.public.windowsce.embedded.vc)