Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)

[aleph1 () dfw net (Aleph One)]

Aleph One / aleph1 () dfw net
http://underground.org/

On Wed, 12 Jul 1995, Henri Karrenbeld wrote:

> 1) access a 'link' to /etc/shadow this way, and I could read the file.
> 2) overwrite /var/adm/xferlog this way ( echo "This file is hacked" > )
>    (with a '>' not '>>') and what it did, it appended to the file,
>    which looks weird because I specified that I wanted to overwrite;
>    maybe, if someone explains to us how this actually works in the /proc
>    filesystem, this isn't so strange?

The reason it doesnt overwrite and it appends is because you are not
reopening the file, you are using an already open file, that was probably
opened in append only mode.

> Of course, we've also tried this. However, we were not able to overwrite
> the file with our own program, but we assumed this was because the binary
> was 'busy', being executed (have you ever tried stripping an executable
> that was running, for example?)

Nope again the reason is because this is an already open file that was
opened read only, so you cant write to a read only file descriptor.

> Well, _I_ might be wrong about the whole thing too, however the things
> mentioned at (1) and (2) _did_ work on 5 systems that we tried it on
> (1 system with /etc/shadow (wu.ftpd 2.4), 3 systems with /usr/adm/xferlog
> (wu.ftpd 2.4) and 1 system with /var/adm/wtmp (wu.ftpd 2.4.2 beta4))
> so there is definately _some_ security problem on _our_ machines.

Upgrade to 1.2.11 and to 1.2.12 when it comes out.

> $) Henri Karrenbeld