Re: ~/.login_conf mechanism is flawed

[Przemyslaw Frasunek]

> What I found especially worrying is that this user-supplied untrustable
> file is being parsed and processed by various daemons and other
> login mechanisms BEFORE permanently dropping root privileges. Unless
> there is a very strong reason, which I am overlooking, to do so, I
> find this design very flawed.

This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE.

 41673 sshd     CALL  setuid(0xbb8)
 41673 sshd     RET   setuid 0
 41673 sshd     CALL  seteuid(0xbb8)
 41673 sshd     RET   seteuid 0
 41673 sshd     NAMI  "/home/venglin/.login_conf"
 41673 sshd     NAMI  "/home/venglin/.login_conf.db"
 41673 sshd     NAMI  "/home/venglin/.login_conf.db"

 41513 ftpd     CALL  seteuid(0xbb8)
 41513 ftpd     RET   seteuid 0
 41513 ftpd     NAMI  "/home/venglin/.login_conf"
 41513 ftpd     NAMI  "/home/venglin/.login_conf.db"
 41513 ftpd     NAMI  "/home/venglin/.login_conf.db"

Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed
to read any file in system with root privileges:

http://marc.info/?l=bugtraq&m=100101802423376&w=2

Since then, elevated privileges are dropped before parsing login_conf.

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: veng...@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"