[Bug 226004] tftpd: with relative pathnames, tftpd doesn't validate world writability

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=226004

            Bug ID: 226004
           Summary: tftpd: with relative pathnames, tftpd doesn't validate
                    world writability
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: asomers at FreeBSD.org

tftpd(8)'s man page says that files may be written only if they already exist
and are publicly writable.  However, it doesn't correctly validate public
writability when given a relative pathname.  In validate_access at line 746, it
checks for the S_IROTH bit, regardless of the mode.  It should check for
S_IWOTH when the mode is WRQ.

Steps to reproduce:
1) In inetd.conf, ensure that the "-s" option is lacking
2) In an authorized directory (such as /tftpboot), create a file named
"world_readable" with mode 444
3) From a client, create a file named foo.txt and do "echo put foo.txt
world_readable | tftp <hostname>"
4) Check the server's /var/log/xferlog.  It should show something like this:

Feb 17 21:49:37 fbsd12 tftpd[1512]: Filename: 'world_readable'
Feb 17 21:49:37 fbsd12 tftpd[1512]: Mode: 'netascii'
Feb 17 21:49:37 fbsd12 tftpd[1512]: 192.168.0.16: write request for
/tmp/tftpboot/world_readable: success

Note that this is not a security vulnerability, because the transfer ultimately
doesn't work unless the file already exists and is owned by user nobody.

-- 
You are receiving this mail because:
You are the assignee for the bug.