ftpd security issue ?

Mike Tancsa mike at sentex.net
Thu Dec 8 21:53:07 UTC 2011

On 11/30/2011 8:37 PM, Mike Tancsa wrote:
> On 11/30/2011 8:16 PM, Xin LI wrote:
>> Sorry I patched at the wrong place, this one should do.
>> Note however this is not sufficient to fix the problem, for instance
>> one can still upload .so's that run arbitrary code at his privilege,
>> which has to be addressed in libc.  I need some time to play around
>> with libc to really fix this one.
> Hi,
> 	Yes, that looks better!  With respect to users uploading .so files, I
> guess why not just upload executables directly ?  Although I suppose if
> they are not allowed to execute anything, this would be a way around that.
> Now to prod the proftpd folks

I was testing sshd when the user's sftp session is chrooted to see how
it behaves. Because of the safety design of the way sshd is written, its
not possible to do this out of the box.  The person would first need to
create those files as root since the chroot directory is not writeable
by the user as explained in

But if somehow the user is able to create those directories at the top,
or those directories are created ahead of time for the user thats
writeable by them, the bogus lib will and does run in the user's context.

I dont imagine this is common, but I am sure there is some potential
foot shooting going on.  Looking at the scponly port, it seems well
aware of this based on the suggested setup.  But again, foot shooting
could happen if the lib path is not secured properly.

Other than having /etc/nsswitch.conf, are there any other methods that
would trigger loading of shared libs in the chrooted environment ?


Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike at sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/

More information about the freebsd-security mailing list