ftpd security issue ?

Mike Tancsa mike at sentex.net
Mon Dec 5 19:45:09 UTC 2011

On 11/30/2011 8:16 PM, Xin LI wrote:
> On 11/30/11 17:01, Mike Tancsa wrote:
>> On 11/30/2011 7:01 PM, Xin LI wrote:
>>>> BTW. This vulnerability affects only configurations, where 
>>>> /etc/ftpchroot exists or anonymous user is allowed to create
>>>> files inside etc and lib dirs.
>>> This doesn't seem to be typical configuration or no?
>> I think in shared hosting environments it would be somewhat common.
>> For annon ftp, I dont think the anon user would be able to create /
>> write to a lib directory.
>>> Will the attached patch fix the problem?
>>> (I think libc should just refuse /etc/nsswitch.conf and libraries
>>> if they are writable by others by the way)
>> It does not seem to prevent the issue for me.  Using Przemyslaw
>> program's,
> Sorry I patched at the wrong place, this one should do.
> Note however this is not sufficient to fix the problem, for instance
> one can still upload .so's that run arbitrary code at his privilege,
> which has to be addressed in libc.  I need some time to play around
> with libc to really fix this one.

Forgive the naive question, but is there a way to prevent a process (in
this case proftpd) from loading a .so if the session is in a chrooted
environment ?  Or if at the start of the process, is there a way to
force the process to load a lib so that later on, it wont try and load
the "bad" lib ?


Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the freebsd-security mailing list