Bugtraq mailing list archives

Re: wu-ftpd info.

From: wam () staff cc purdue edu (William McVey)
Date: Wed, 13 Apr 1994 11:14:40 -0500


Ken Hardy wrote:

What are the dangers posed by someone gaining root access, as through a
trojaned ftpd, in a _chrooted_ environment, assuming that the environment
gets chrooted before there's any chance of compromise?


Since the particular directory you are talking about is the ftp
directory, a BadGuy(tm) could upload himself all the things he needs to
break out of a chroot filesystem.  A precompiled program that uses
fchroot(1) could be uploaded and run as root to get you to the "real"
filesytem.

A BadGuy(tm) could also upload and use mknod(8) to break out of the
chroot since devices have no idea whether they are chrooted or not.

In summary, chroot() is only effective if you control what files a
person has access to within the chroot-ed area.  This is not normally
the case with a compromised ftp directory.

 - William McVey
   Purdue University Computing Center
   Systems Administration Group

Current thread:

Re: wu-ftpd info., (continued)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
  - Re: wu-ftpd info. Paul Walmsley (Apr 13)
- Re: wu-ftpd info. Ken Hardy (Apr 13)
  - Re: wu-ftpd info. jdd () cdf toronto edu (Apr 13)
  - Re: wu-ftpd info. Paul A Vixie (Apr 13)
  - Re: wu-ftpd info. Rob Quinn (Apr 13)
  - Re: wu-ftpd info. Gene Spafford (Apr 13)
  - Re: wu-ftpd info. Marc W. Mengel (Apr 13)
    - Re: wu-ftpd info. Christopher Klaus (Apr 13)
- Re: wu-ftpd info. smb () research att com (Apr 13)
- Re: wu-ftpd info. William McVey (Apr 13)
- Re: wu-ftpd info. der Mouse (Apr 13)