Bugtraq mailing list archives

BoS: serious security bug in wu-ftpd v2.4 -- PATCH

From: security () kinch ark com (Dave Kinchlea)
Date: Sun, 5 Jan 1997 22:49:45 -0800


On Sun, 5 Jan 1997, Dave Kinchlea wrote:
[...]

                                              If there is
interest, I can make the patches available.

cheers, kinch


Appearently there is. I note that two people have mentioned that my
simple suspendsigs/resumesigs functions may not be the best solutions.
One person mentioned that some signals may get lost as they are just
being ignored, another mentioned that signal() is unreliable on some
systems. I am not going to change these, however, as to do better
requires more knowledge of all the different flavours of signal than I
have. Others can (and probably will), the patches will still be good
regardless.

First, my simple functions followed by the patches (unified diff
format). Please take note that these patches are against sources that
have been patched for Linux+PAM+RedHat release.

 It goes without saying that I take no responsibility for any
damage done as a result of this yada yada yada ...

/* ######################### sigfix.c ################################# */

/* These two functions are a kludge to try to stop a possible
security problem with stray signals and seteuid(0) calls. I am
taking the idea from Wietse Venema, I don't see how it can harm
anything and ought to stop this particular hole (until a new/better
method is found).
*/
void
#ifdef __STDC__
suspendsigs(void)
#else
suspendsigs()
#endif
{
#ifdef SIGPIPE
    (void) signal(SIGPIPE, SIG_IGN);
#endif

#ifdef SIGURG
    (void) signal(SIGURG, SIG_IGN);
#endif
}

void
#ifdef __STDC__
resumesigs(void)
#else
reseumesigs()
#endif
{
#ifdef SIGPIPE
    (void) signal(SIGPIPE, lostconn);
#endif

#ifdef SIGURG
    if ((int) signal(SIGURG, myoob) < 0)
        syslog(LOG_ERR, "signal: %m");
#endif
}

######################## wu-kinch.patch #############################
--- ./wu-ftpd-2.4.2-beta-11/src/makefiles/Makefile.lnx.kinch    Sun Jan  5 20:29:24 1997
+++ ./wu-ftpd-2.4.2-beta-11/src/makefiles/Makefile.lnx  Sun Jan  5 20:28:28 1997
@@ -16,9 +16,11 @@
 MKDEP    = ../util/mkdep

 SRCS   = ftpd.c ftpcmd.c glob.c logwtmp.c popen.c vers.c access.c extensions.c \
-         realpath.c acl.c private.c authenticate.c conversions.c hostacc.c
+         realpath.c acl.c private.c authenticate.c conversions.c hostacc.c \
+         sigfix.c
 OBJS   = ftpd.o ftpcmd.o glob.o logwtmp.o popen.o vers.o access.o extensions.o \
-         realpath.o acl.o private.o authenticate.o conversions.o hostacc.o
+         realpath.o acl.o private.o authenticate.o conversions.o hostacc.o \
+         sigfix.o

 ifdef USE_PAM
 CFLAGS  += -DUSE_PAM=1
--- ./wu-ftpd-2.4.2-beta-11/src/private.c.kinch Sun Jan  5 12:56:55 1997
+++ ./wu-ftpd-2.4.2-beta-11/src/private.c       Sun Jan  5 14:13:21 1997
@@ -318,9 +318,11 @@
     uid = geteuid();
     gid = grp->gr_gid;

+    suspendsigs(); /* we can't allow any signals while euid==0: kinch */
     seteuid(0);
     setegid(gid);
     seteuid(uid);
+    resumesigs(); /* we can allow signals once again: kinch */

     reply(200, "Group access enabled.");
     group_attempts = 0;
--- ./wu-ftpd-2.4.2-beta-11/src/popen.c.kinch   Mon Dec 11 01:14:43 1995
+++ ./wu-ftpd-2.4.2-beta-11/src/popen.c Sun Jan  5 14:11:44 1997
@@ -168,9 +168,11 @@
        /* begin CERT suggested fixes */
        close(0);
         i = geteuid();
+       suspendsigs(); /* we can't allow any signals while euid==0: kinch */
         seteuid(0);
         setgid(getegid());
         setuid(i);
+       resumesigs(); /* we can allow signals once again: kinch */
        /* end CERT suggested fixes */
        execv(gargv[0], gargv);
         _exit(1);
--- ./wu-ftpd-2.4.2-beta-11/src/ftpd.c.kinch    Sun Jan  5 13:53:03 1997
+++ ./wu-ftpd-2.4.2-beta-11/src/ftpd.c  Sun Jan  5 20:37:58 1997
@@ -1234,6 +1234,7 @@
 #endif
 {

+    suspendsigs(); /* we can't allow any signals while euid==0: kinch */
     (void) seteuid((uid_t) 0);
     if (logged_in)
         logwtmp(ttyline, "", "");
@@ -1578,6 +1579,7 @@
       return 0;
     }
 #endif
+    resumesigs(); /* we can allow signals once again: kinch */

     if (*home_dir != '\0') {
       if (chdir(home_dir) < 0) {
@@ -2062,13 +2064,16 @@

     if (valid > 0) {
         oldid = geteuid();
+        suspendsigs(); /* we can't allow any signals while euid==0: kinch */
         (void) seteuid((uid_t) 0);
         if ((fchown(fdout, uid, gid)) < 0) {
             (void) seteuid(oldid);
+            resumesigs(); /* we can allow signals once again: kinch */
             perror_reply(550, "fchown");
             return;
         }
         (void) seteuid(oldid);
+        resumesigs(); /* we can allow signals once again: kinch */
     }
 #endif /* UPLOAD */

@@ -2206,6 +2211,7 @@

     if (data >= 0)
         return (fdopen(data, mode));
+    suspendsigs(); /* we can't allow any signals while euid==0: kinch */
     (void) seteuid((uid_t) 0);
     s = socket(AF_INET, SOCK_STREAM, 0);
     if (s < 0)
@@ -2237,6 +2243,7 @@
     }
 #endif
     (void) seteuid((uid_t) pw->pw_uid);
+    resumesigs(); /* we can allow signals once again: kinch */

 #ifdef IPTOS_THROUGHPUT
     on = IPTOS_THROUGHPUT;
@@ -2258,6 +2265,7 @@
     return (fdopen(s, mode));
   bad:
     (void) seteuid((uid_t) pw->pw_uid);
+    resumesigs(); /* we can allow signals once again: kinch */
     (void) close(s);
     return (NULL);
 }
@@ -3157,6 +3165,7 @@
 #endif
 {
     if (logged_in) {
+        suspendsigs(); /* we can't allow any signals while euid==0: kinch */
         (void) seteuid((uid_t) 0);
         logwtmp(ttyline, "", "");
     }
@@ -3233,12 +3242,15 @@
     }
     pasv_addr = ctrl_addr;
     pasv_addr.sin_port = 0;
+    suspendsigs(); /* we can't allow any signals while euid==0: kinch */
     (void) seteuid((uid_t) 0);         /* XXX: not needed if > 1024 */
     if (bind(pdata, (struct sockaddr *) &pasv_addr, sizeof(pasv_addr)) < 0) {
         (void) seteuid((uid_t) pw->pw_uid);
+        resumesigs(); /* we can allow signals once again: kinch */
         goto pasv_error;
     }
     (void) seteuid((uid_t) pw->pw_uid);
+    resumesigs(); /* we can allow signals once again: kinch */
     len = sizeof(pasv_addr);
     if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
         goto pasv_error;
--- ./wu-ftpd-2.4.2-beta-11/src/realpath.c.kinch        Sun Apr 14 22:51:15 1996
+++ ./wu-ftpd-2.4.2-beta-11/src/realpath.c      Sun Jan  5 14:12:39 1997
@@ -86,6 +86,7 @@
         if (!getwd(workpath)) {
 #endif
                userid = geteuid();
+               suspendsigs(); /* we can't allow any signals while euid==0: kinch */
                seteuid(0);
 #ifdef HAVE_GETCWD
                if (!getcwd(workpath,MAXPATHLEN)) {
@@ -94,9 +95,11 @@
 #endif
                    strcpy(result, ".");
                    seteuid(userid);
+                   resumesigs(); /* we can allow signals once again: kinch */
                    return (NULL);
                }
                seteuid(userid);
+               resumesigs(); /* we can allow signals once again: kinch */
        }
     } else
         *workpath = '\0';

Current thread:

Re: BoS: serious security bug in wu-ftpd v2.4 Dave Kinchlea (Jan 05)
- BoS: serious security bug in wu-ftpd v2.4 -- PATCH Dave Kinchlea (Jan 05)
  - Re: BoS: serious security bug in wu-ftpd v2.4 -- PATCH Henrik P Johnson (Jan 12)
  - Stronghold v1.3.3: Security Release Sean B. Hamor (Jan 13)
  - [linux-security] SECURITY: Important bug fix for /sbin/login Erik Troan (Jan 16)
  - Smashing the stack on a DEC Alpha Lamont Granquist (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Digital Dreamer (Jan 16)
    - Re: Smashing the stack on a DEC Alpha Julian Assange (Jan 16)
    - FreeBSD Security Advisory: SA-96:21 - talkd FreeBSD Security Officer (Jan 18)
    - Re: FreeBSD Security Advisory: SA-96:21 - talkd Theo de Raadt (Jan 20)
    - talkd problem Theo de Raadt (Jan 20)
    - Re: talkd problem David Holland (Jan 20)

(Thread continues...)