Bugtraq mailing list archives
Re: chrooted superuser (was wu-ftpd info.)
From: fitz () wang com (Tom Fitzgerald)
Date: Wed, 13 Apr 1994 21:55:11 -0400 (EDT)
Assume now that I have a tcp wrapper that does the chroot for ftpd _whenever_ it's invoked. This is true for non-anonymous as well as anonyous logins; it happens before the ftpd is ever exec'ed. Furthermore, assume that the chrooted-to volume is mounted nosuid,nodev. Can a trojaned ftpd be used to compromise or harm the system outside of the ftp hierarchy?
If your ftpd can authenticate users while locked into the chrooted volume, and you're not using kerberos or something, then user passwords have to be stored in the chrooted area where ftpd can read them. USER root PASS NULL PORT .... RETR /etc/shadow ... or whatever Now you've got something to start cracking on. If you add kerberos, I think that may fix things. -- Tom Fitzgerald Wang Labs Lowell MA, USA 1-508-967-5278 fitz () wang com Pardon me, I'm lost, can you direct me to the information superhighway?
Current thread:
- Re: chrooted superuser (was wu-ftpd info.) Ken Hardy (Apr 13)
- Re: chrooted superuser (was wu-ftpd info.) Tom Fitzgerald (Apr 13)