bin/117922: ftpd: remote ftp user possible leave chrooted
environment in 7.0-BETA2
Igor Marijko
im at sv.ua
Thu Nov 8 05:30:01 PST 2007
>Number: 117922
>Category: bin
>Synopsis: ftpd: remote ftp user possible leave chrooted environment in 7.0-BETA2
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Nov 08 13:30:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Igor Marijko
>Release: FreeBSD 7.0-BETA2
>Organization:
sv
>Environment:
FreeBSD bsd2.SV.UA 7.0-BETA2 FreeBSD 7.0-BETA2 #0: Fri Nov 2 16:47:33 UTC 2007 root at logan.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386
>Description:
ftpd included in FreeBSD allows remote ftp user leave chrooted (via /etc/ftpchroot) environment within the bounds of the parition.
Bug also present in 5.4-RELEASE and 6.2-RELEASE (and may be in other versions)
>How-To-Repeat:
Using default instalations,
uncoment next line in /etc/inetd.conf
ftp stream tcp nowait root /usr/libexec/ftpd ftpd -ll
add line 'inetd_enable="YES"' to /etc/rc.conf
and start inetd using '/etc/rc.d/inetd start'
create new user, for example 'admin'
and add login of this user to /etc/ftpchroot
After that using any ftp client (FAR manager) connect to our ftpd as 'admin'. Create on ftp any directory and 'cd' into it.
If user been in some folder (user session root changed to /home/admin) and in time this directory has been moved by another user outside chroot directory (/home/admin) within the bounds of the parition (to "/usr/local/www/data" for example). Ftp user going out directory (cd ..) leave chroot directory and grand access to files on partition.
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list