Bugtraq mailing list archives
Re: wu-ftpd info.
From: cklaus () shadow net (Christopher Klaus)
Date: Wed, 13 Apr 94 21:03:28 EDT
In <9404131412.AA01024@racerx> you write: What are the dangers posed by someone gaining root access, as through a trojaned ftpd, in a _chrooted_ environment, assuming that the environment gets chrooted before there's any chance of compromise? Granted, you don't want strangers enabled to wreak havoc with your ftp heirarchy (and planting _more_ trojans), but what kind of threats can be posed to the rest of the system from such a toehold? Quickest is to put a mknod and dump executable in the filetree, start doing mknod's of block devices, have dump spew them back to your local host where you can read any files you want with restore...
With everyone throwing in suggestions of how to exploit this situation, here's another: stick a nfs client program on the host and use it to mount the NFS system, or atleast grab the file handles, since your requests are coming from the 'trusted' machine, it should be no problem. -- Christopher William Klaus Email: cklaus () shadow net Author:Inet Sec. Scanner 2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.
Current thread:
- wu-ftpd info. Christopher Klaus (Apr 12)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
- Re: wu-ftpd info. Paul Walmsley (Apr 13)
- <Possible follow-ups>
- Re: wu-ftpd info. Ken Hardy (Apr 13)
- Re: wu-ftpd info. jdd () cdf toronto edu (Apr 13)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)
- Re: wu-ftpd info. Rob Quinn (Apr 13)
- Re: wu-ftpd info. Gene Spafford (Apr 13)
- Re: wu-ftpd info. Marc W. Mengel (Apr 13)
- Re: wu-ftpd info. Christopher Klaus (Apr 13)
- Re: wu-ftpd info. smb () research att com (Apr 13)
- Re: wu-ftpd info. William McVey (Apr 13)
- Re: wu-ftpd info. der Mouse (Apr 13)
- Re: wu-ftpd info. Paul A Vixie (Apr 13)