Bugtraq mailing list archives

Re: chrooted superuser (was wu-ftpd info.)

From: fitz () wang com (Tom Fitzgerald)
Date: Wed, 13 Apr 1994 21:55:11 -0400 (EDT)

Assume now that I have a tcp wrapper that does the chroot for ftpd
_whenever_ it's invoked.  This is true for non-anonymous as well as
anonyous logins; it happens before the ftpd is ever exec'ed.
Furthermore, assume that the chrooted-to volume is mounted
nosuid,nodev.  Can a trojaned ftpd be used to compromise or harm the
system outside of the ftp hierarchy?


If your ftpd can authenticate users while locked into the chrooted volume,
and you're not using kerberos or something, then user passwords have to be
stored in the chrooted area where ftpd can read them.

USER root
PASS NULL
PORT ....
RETR /etc/shadow    ... or whatever

Now you've got something to start cracking on.  If you add kerberos, I think
that may fix things.

-- 
Tom Fitzgerald   Wang Labs   Lowell MA, USA   1-508-967-5278   fitz () wang com
Pardon me, I'm lost, can you direct me to the information superhighway?

Current thread:

Re: chrooted superuser (was wu-ftpd info.) Ken Hardy (Apr 13)
- Re: chrooted superuser (was wu-ftpd info.) Tom Fitzgerald (Apr 13)