Bugtraq mailing list archives
Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)
From: aleph1 () dfw net (Aleph One)
Date: Thu, 13 Jul 1995 11:58:54 -0500
Aleph One / aleph1 () dfw net http://underground.org/ On Wed, 12 Jul 1995, Henri Karrenbeld wrote:
1) access a 'link' to /etc/shadow this way, and I could read the file. 2) overwrite /var/adm/xferlog this way ( echo "This file is hacked" > ) (with a '>' not '>>') and what it did, it appended to the file, which looks weird because I specified that I wanted to overwrite; maybe, if someone explains to us how this actually works in the /proc filesystem, this isn't so strange?
The reason it doesnt overwrite and it appends is because you are not reopening the file, you are using an already open file, that was probably opened in append only mode.
Of course, we've also tried this. However, we were not able to overwrite the file with our own program, but we assumed this was because the binary was 'busy', being executed (have you ever tried stripping an executable that was running, for example?)
Nope again the reason is because this is an already open file that was opened read only, so you cant write to a read only file descriptor.
Well, _I_ might be wrong about the whole thing too, however the things mentioned at (1) and (2) _did_ work on 5 systems that we tried it on (1 system with /etc/shadow (wu.ftpd 2.4), 3 systems with /usr/adm/xferlog (wu.ftpd 2.4) and 1 system with /var/adm/wtmp (wu.ftpd 2.4.2 beta4)) so there is definately _some_ security problem on _our_ machines.
Upgrade to 1.2.11 and to 1.2.12 when it comes out.
$) Henri Karrenbeld
Current thread:
- updated-secure-w#-daemons, (continued)
- updated-secure-w#-daemons Dr. Frederick B. Cohen (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Kent Fitch (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Casper Dik (Jul 10)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Ken Wilcox (Jul 11)
- Exploit+fix for Linux SIGURG Marek Michalkiewicz (Jul 11)
- The FTP Bounce Attack *Hobbit* (Jul 11)
- Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Henri Karrenbeld (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Marek Michalkiewicz (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) James Seng (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Henri Karrenbeld (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Aleph One (Jul 13)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Jeremy Fitzhardinge (Jul 13)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) James W. Abendschan (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Lyndon Nerenberg (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Aleph One (Jul 13)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Karl Strickland (Jul 10)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Perry E. Metzger (Jul 10)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing BioH (Jul 10)
- Re: Exploit for Linux wu.ftpd hole Nathan Lawson (Jul 09)
- Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 07)