Bugtraq mailing list archives

Re: wu-ftpd info.

From: mouse () collatz mcrcim mcgill edu (der Mouse)
Date: Wed, 13 Apr 1994 15:23:59 -0400

What are the dangers posed by someone gaining root access, as through
a trojaned ftpd, in a _chrooted_ environment, assuming that the
environment gets chrooted before there's any chance of compromise?


That's a big assumption; I think the wuftpd bug didn't require
committing to anonymous access before the potential compromise.  But to
answer your question....

Granted, you don't want strangers enabled to wreak havoc with your
ftp heirarchy (and planting _more_ trojans), but what kind of threats
can be posed to the rest of the system from such a toehold?


First, note that the lack of development tools (like cc) is not a
barrier, since we can probably assume that the intruder has access to a
binary-compatible machine.  (We certainly can't assume this is not so.)

What can you do as root?  Let's see.  You can create a new /dev/kmem or
/dev/mem with mknod(2) and use it to patch the location in the kernel
that holds your current root directory...and thereby blow chroot()'s
"security" clean out of the water.

                                        der Mouse

                            mouse () collatz mcrcim mcgill edu

Current thread:

Re: wu-ftpd info., (continued)
- - Re: wu-ftpd info. Paul Walmsley (Apr 13)
- Re: wu-ftpd info. Ken Hardy (Apr 13)
  - Re: wu-ftpd info. jdd () cdf toronto edu (Apr 13)
  - Re: wu-ftpd info. Paul A Vixie (Apr 13)
  - Re: wu-ftpd info. Rob Quinn (Apr 13)
  - Re: wu-ftpd info. Gene Spafford (Apr 13)
  - Re: wu-ftpd info. Marc W. Mengel (Apr 13)
    - Re: wu-ftpd info. Christopher Klaus (Apr 13)
- Re: wu-ftpd info. smb () research att com (Apr 13)
- Re: wu-ftpd info. William McVey (Apr 13)
- Re: wu-ftpd info. der Mouse (Apr 13)