Bugtraq mailing list archives

Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)

From: jwa () nbs nau edu (James W. Abendschan)
Date: Wed, 12 Jul 1995 13:58:34 -0700

People with local ftp access can use the filedescriptors in /proc of
the iwu.)ftpd process (which is running under their euid) to read and append
to files to which they should not have access. This gives write permission
to /var/adm/wtmp and read access to /etc/shadow, if your ftpd is hacked
in a 'dirty' way to incorporate shadow passwords. The 2.4 version also
gave write access to /var/adm/xferlog. A friend of mine reported write
access to /etc/ftpconversions (with possible root vulnerabilities), but
I have not been able to repeat that (2.4.2 beta 4 appears to be safe in
this)


Maybe I'm completely missing the point, but wouldn't this help?

        linux# chown root.kmem /proc
        linux# chmod 750 /proc

And then sgid kmem all the binaries that need /proc access:

        linux# chown root.kmem `which w` `which ps` `which top` (etc)
        linux# chmod 2755 `which w` `which ps` `which top` (etc)

This restricts ordinary users from wandering around in /proc, and
thus being able to access the "unclosed" files.

James

--
James Abendschan               jwa () nbs nau edu            Will Hack For Food
            <a href="http://www.nbs.nau.edu/~jwa";>Zero Funk Kick</a>

Current thread:

Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing, (continued)
- - - Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Casper Dik (Jul 10)
    - Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Ken Wilcox (Jul 11)
    - Exploit+fix for Linux SIGURG Marek Michalkiewicz (Jul 11)
    - The FTP Bounce Attack *Hobbit* (Jul 11)
    - Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Henri Karrenbeld (Jul 12)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Marek Michalkiewicz (Jul 12)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) James Seng (Jul 12)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Henri Karrenbeld (Jul 12)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Aleph One (Jul 13)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Jeremy Fitzhardinge (Jul 13)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) James W. Abendschan (Jul 12)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Lyndon Nerenberg (Jul 12)
    - Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Aleph One (Jul 13)
    - Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Karl Strickland (Jul 10)
    - Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Perry E. Metzger (Jul 10)
    - Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing BioH (Jul 10)
    - Re: Exploit for Linux wu.ftpd hole Nathan Lawson (Jul 09)
  - Re: Exploit for Linux wu.ftpd hole Michael Shields (Jul 06)
    - Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 07)
- Why are we using priveleged images / state so much? (Was Re: Paul Robinson (Jul 06)
  - Re: Why are we using priveleged images / state so much? (Was Re: Dr. Frederick B. Cohen (Jul 06)

(Thread continues...)