Bugtraq mailing list archives

Re: wu-ftpd info.

From: cklaus () shadow net (Christopher Klaus)
Date: Wed, 13 Apr 94 21:03:28 EDT



In <9404131412.AA01024@racerx>  you write:
  
  What are the dangers posed by someone gaining root access, as through a
  trojaned ftpd, in a _chrooted_ environment, assuming that the environment
  gets chrooted before there's any chance of compromise?  Granted, you
  don't want strangers enabled to wreak havoc with your ftp heirarchy
  (and planting _more_ trojans), but what kind of threats can be posed
  to the rest of the system from such a toehold?


Quickest is to put a mknod  and dump executable in the filetree, start 
doing mknod's of block devices, have dump spew them back to your local 
host where you can read any files you want with restore...

With everyone throwing in suggestions of how to exploit this situation,
here's another:  stick a nfs client program on the host and
use it to mount the NFS system, or atleast grab the file handles,
since your requests are coming from the 'trusted' machine, it should be no
problem.  


-- 
Christopher William Klaus  Email: cklaus () shadow net  Author:Inet Sec. Scanner
2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.

Current thread:

wu-ftpd info. Christopher Klaus (Apr 12)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
  - Re: wu-ftpd info. Paul Walmsley (Apr 13)
- <Possible follow-ups>
- Re: wu-ftpd info. Ken Hardy (Apr 13)
  - Re: wu-ftpd info. jdd () cdf toronto edu (Apr 13)
  - Re: wu-ftpd info. Paul A Vixie (Apr 13)
  - Re: wu-ftpd info. Rob Quinn (Apr 13)
  - Re: wu-ftpd info. Gene Spafford (Apr 13)
  - Re: wu-ftpd info. Marc W. Mengel (Apr 13)
    - Re: wu-ftpd info. Christopher Klaus (Apr 13)
- Re: wu-ftpd info. smb () research att com (Apr 13)
- Re: wu-ftpd info. William McVey (Apr 13)
- Re: wu-ftpd info. der Mouse (Apr 13)