-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/30/11 13:09, Przemyslaw Frasunek wrote:
>> Saw this on FD... Anyone know any more details about this ?
>> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html
>
>>
> This is a well known hazard of chrooting to directories controlled
> by unprivileged users. In this case, vulnerability exists because
> ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is
> issued, and nss_compat.so is loaded by libc regardless of elevated
> privileges.
>
> This can be proven by creating dummy ~/lib/nss_compat.so.1:
>
> [venglin@lagoon ~/lib]$ cat dummy.c #include <stdio.h> #include
> <fcntl.h>
>
> void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d
> %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o
> dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared
> -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles
> [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1
>
> And after calling STAT command:
>
> [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000
>
> BTW. This vulnerability affects only configurations, where
> /etc/ftpchroot exists or anonymous user is allowed to create files
> inside etc and lib dirs.
This doesn't seem to be typical configuration or no?
Will the attached patch fix the problem?
(I think libc should just refuse /etc/nsswitch.conf and libraries if
they are writable by others by the way)
Cheers,
- --
Xin LI <[email protected]> https://www.delphij.net/
FreeBSD - The Power to Serve! Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)
iQEcBAEBCAAGBQJO1sPFAAoJEATO+BI/yjfBe+kIANGf3sEKV2iEXnhOEzEJkQFr
qOm5niYdxwrnmQ4tjU19Ny+RZ5C9QyIcsvZeYJHLY3AvHGcxKCDc+BfAqHvBbxqF
JC1/CbdnflUp3VpNnTvXIkN1/upcZXRU9BmVOXHYg7Ycqrqhom7+57hza2zSZxHO
UlKXzLD3O3NIPMgkliJ9YwpsNr4dDrpCItVddWC3yENV33Qc9rOFLMzlwP6qk5Ib
XxzCHqg7nNioKDZ0KUeFsSEtk7xT6l5nmRIGQz+YN4CyLWjuZf5EspZSha5VFwwO
H+VSvl339AMJDRMUa2g4mLbjpHjYyZAPw+fM+SxPuC4Js1MrhkseZLPAQeoaEWg=
=wDbK
-----END PGP SIGNATURE-----
Index: libexec/ftpd/popen.c
===================================================================
--- libexec/ftpd/popen.c (revision 228156)
+++ libexec/ftpd/popen.c (working copy)
@@ -157,6 +157,7 @@ ftpd_popen(char *program, char *type)
}
exit(ls_main(gargc, gargv));
}
+ setuid(geteuid());
execv(gargv[0], gargv);
_exit(1);
}
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
