ftpd security issue ?

Xin LI delphij at delphij.net
Thu Dec 1 01:16:40 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 11/30/11 17:01, Mike Tancsa wrote:
> On 11/30/2011 7:01 PM, Xin LI wrote:
>> 
>>> BTW. This vulnerability affects only configurations, where 
>>> /etc/ftpchroot exists or anonymous user is allowed to create
>>> files inside etc and lib dirs.
>> 
>> This doesn't seem to be typical configuration or no?
> 
> I think in shared hosting environments it would be somewhat common.
> For annon ftp, I dont think the anon user would be able to create /
> write to a lib directory.
> 
>> 
>> Will the attached patch fix the problem?
>> 
>> (I think libc should just refuse /etc/nsswitch.conf and libraries
>> if they are writable by others by the way)
> 
> It does not seem to prevent the issue for me.  Using Przemyslaw
> program's,

Sorry I patched at the wrong place, this one should do.

Note however this is not sufficient to fix the problem, for instance
one can still upload .so's that run arbitrary code at his privilege,
which has to be addressed in libc.  I need some time to play around
with libc to really fix this one.

Cheers,
- -- 
Xin LI <delphij at delphij.net>	https://www.delphij.net/
FreeBSD - The Power to Serve!		Live free or die
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (FreeBSD)

iQEcBAEBCAAGBQJO1tV2AAoJEATO+BI/yjfBua8IAIt5FYjnMswOL/GPwcEaJaAJ
reZxS5a1jBtqMOO1RhAlvDK9SVTYhWVOwQLUWmJz7iln+NissW9fQeYyG6bmfRxX
l583Aiobk1Lgp+HRJQIEj2JjajoZkj7RjUrYa4a8lZQxNmVUXE/RqRgM2/FbuU4C
ejQd5xRQdG+kMq9vUmYk4QP7ql32uv48sSTwklau6Jz5zMpXSvvx2awe8aZImB2R
pWklWcT4VUSiEbrREvP/ZNJt+BjQAZw3V2Lc0j7c9AbLnj84KRgmUS+dTMTdPoyD
nRavZQzppvxRf3tVrth5FuSsIdR5491Sa3ykzFpNKToqY4CtkRvAofZfBx0mQws=
=9B6u
-----END PGP SIGNATURE-----
-------------- next part --------------
Index: libexec/ftpd/popen.c
===================================================================
--- libexec/ftpd/popen.c	(revision 228164)
+++ libexec/ftpd/popen.c	(working copy)
@@ -143,6 +143,9 @@
 			}
 			(void)close(pdes[1]);
 		}
+		/* Drop privileges before proceeding */
+		if (getuid() != geteuid() && setuid(geteuid()) < 0)
+			_exit(1);
 		if (strcmp(gargv[0], _PATH_LS) == 0) {
 			/* Reset getopt for ls_main() */
 			optreset = optind = optopt = 1;


More information about the freebsd-security mailing list