Bugtraq mailing list archives
Re: wu-ftpd info.
From: mouse () collatz mcrcim mcgill edu (der Mouse)
Date: Wed, 13 Apr 1994 15:23:59 -0400
What are the dangers posed by someone gaining root access, as through a trojaned ftpd, in a _chrooted_ environment, assuming that the environment gets chrooted before there's any chance of compromise?
That's a big assumption; I think the wuftpd bug didn't require committing to anonymous access before the potential compromise. But to answer your question....
Granted, you don't want strangers enabled to wreak havoc with your ftp heirarchy (and planting _more_ trojans), but what kind of threats can be posed to the rest of the system from such a toehold?
First, note that the lack of development tools (like cc) is not a barrier, since we can probably assume that the intruder has access to a binary-compatible machine. (We certainly can't assume this is not so.) What can you do as root? Let's see. You can create a new /dev/kmem or /dev/mem with mknod(2) and use it to patch the location in the kernel that holds your current root directory...and thereby blow chroot()'s "security" clean out of the water. der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: wu-ftpd info., (continued)
- Re: wu-ftpd info. Paul Walmsley (Apr 13)
- Re: wu-ftpd info. Ken Hardy (Apr 13)
- Re: wu-ftpd info. jdd () cdf toronto edu (Apr 13)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
- Re: wu-ftpd info. Rob Quinn (Apr 13)
- Re: wu-ftpd info. Gene Spafford (Apr 13)
- Re: wu-ftpd info. Marc W. Mengel (Apr 13)
- Re: wu-ftpd info. Christopher Klaus (Apr 13)
- Re: wu-ftpd info. smb () research att com (Apr 13)
- Re: wu-ftpd info. William McVey (Apr 13)
- Re: wu-ftpd info. der Mouse (Apr 13)