~/.login_conf mechanism is flawed
Przemyslaw Frasunek
przemyslaw at frasunek.com
Tue Aug 10 09:45:37 UTC 2010
> What I found especially worrying is that this user-supplied untrustable
> file is being parsed and processed by various daemons and other
> login mechanisms BEFORE permanently dropping root privileges. Unless
> there is a very strong reason, which I am overlooking, to do so, I
> find this design very flawed.
This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE.
41673 sshd CALL setuid(0xbb8)
41673 sshd RET setuid 0
41673 sshd CALL seteuid(0xbb8)
41673 sshd RET seteuid 0
41673 sshd NAMI "/home/venglin/.login_conf"
41673 sshd NAMI "/home/venglin/.login_conf.db"
41673 sshd NAMI "/home/venglin/.login_conf.db"
41513 ftpd CALL seteuid(0xbb8)
41513 ftpd RET seteuid 0
41513 ftpd NAMI "/home/venglin/.login_conf"
41513 ftpd NAMI "/home/venglin/.login_conf.db"
41513 ftpd NAMI "/home/venglin/.login_conf.db"
Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed
to read any file in system with root privileges:
http://marc.info/?l=bugtraq&m=100101802423376&w=2
Since then, elevated privileges are dropped before parsing login_conf.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin at nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
More information about the freebsd-security
mailing list