Bugtraq mailing list archives
Glftpd privpath bugs... +fix
From: raymond () THRIJSWIJK NL (Raymond Dijkxhoorn)
Date: Mon, 26 Jun 2000 10:54:25 +0200
Hi! Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with the privpath directives.... It will probably be fixed in the comming 1.21b9 but i have included a quick fix in this one to prevent exploits of this bug. Thanx for Hoopy for the quick fix (glftpd dev team). Problem: When you know the private dir names on a site, or groupdirs you can ust 'try' to get in .. and its very easy. If you know the name of groupdir you can simply change into it using the completion function on glftpd. If you have a private dir / group dir: For example.... /Groups/Mygroup and you have a dir named 'test' there. you can simply jump to it by typing 'chdir /Groups/Mygroup/t glftpd does not check if you have the proper rights to see the dir, it just hops in there without any problem. So if you try a-9 on the dirnames you can see all stuff inside a private dir,, takes some time, but with a nice script its not that hard... ;-) Fix: Put in the attached fix, instructions are also inside the .c file. It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if you're running <<1.20 then upgrade to the latest version. I'll post a short note when the fixed binary is out also.... In the glftpd.conf: cscript cwd pre /bin/leakfix Bye, Raymond Dijkxhoorn. <HR NOSHADE> <UL> <LI>TEXT/PLAIN attachment: leakfix.c </UL>
Current thread:
- Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)