Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: mirror 2.9 hole

From: kelm () PCA DFN DE (Stefan Kelm)
Date: Tue, 19 Oct 1999 17:23:35 +0200


mirror is a Perl script which is widely used for making copy of remote
FTP site. It's included in FreeBSD packages. There are security holes,
which   allows  overwrite  local  files  from  remote  ftp  site  with
permissions  of  the  user  who uses mirror. Then retrieving directory
listing  mirror  doesn't  check  filename or directory name to contain
".."  or  "\"  This  allows  to create or overwrite files in directory
different from destination.

To  simply  test  this  bug you can create " .." directory on your ftp
site  and  mirror  your  site.  Mirror  will create temporary files in
directory  one  level  higher  then  specifyed.  This way you couldn't
overwrite  some useful information, but this may be used, for example,
to fill out / directory (if mirror is ran from root).

But  with putting little changes into you ftpd (for example making him
change '\' to '/' on listings) you can force mirror to overwrite _any_
file with permissions of mirror user then he mirrors your ftp site.


Tested with:
$ mirror -v
$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $


I can confirm the behaviour you describe for mirror.pl,v 2.8 running on
solaris although I wasn't able to create any temporary files by using a
"\" in either the file names or the directory names.

However, the default mirror configuration shows the following part:

  # Don't touch anything whose name begins with a space!
  exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| )

(you might want to quote the space character at the end)

Even the man page recommends using the line above. Be careful not to
overwrite the keyword exclude_patt in your own mirror files. If you do
have to use exclude_patt be sure to specify somethink like:

  exclude_patt+|^blah/|             (note the "+" sign!)

This should not allow temporary files to be created through " ..". At
least it didn't on my system.  :-)

Cheers,

        Stefan.

______________________________________________________________________________
Stefan Kelm            PGP key: "finger kelm () www pca dfn de" or via key server
DFN-PCA                                                      <kelm () pca dfn de>
Vogt-Koelln-Str. 30                               http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany)                   Tel: +49 40 428 83-2262 / Fax: -2241
Previous By Date Next
Previous By Thread Next

Current thread: