Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)

From: jseng () stf org sg (James Seng)
Date: Thu, 13 Jul 1995 00:43:17 +0800

On Wed, 12 Jul 1995, Henri Karrenbeld wrote:

l-wx------   1 <yourname>     64 Jul 12 13:07 5 -> [0301]:24718

[snip]

So normal access for wtmp is 644, however this 'hard link' into the filesystem
points directly to the inode (24718) and gives you write access to this file
by writing to /proc/2728/fd/5 instead of to /var/adm/wtmp.


Just like to ask a stupid question. Is "5 -> [0301]:24718" a hard link or
is it a soft link? (sorry..i dont have the spec for /proc filesystem..)

If it is a soft link, then it is no bug. The soft link maybe own you you
but this doesnt means that inode 24718 is own by you. The ftp daemon may
continue to access /var/adm/utmp even though it has euid itself to
<yourname> since it has open() the file while it is still root.

If it is a hard link, then we are in deep trouble. If i am not wrong,
/proc/<processid>/exe is also a link which actually points to the inode
of the program of the process. This means that anyone can overwrite or
modify any program they run by 1. run the program and then suspend it
2. ps and look for process id 3. Overwrite /proc/<processid>/exe with
their trojan version.

I maybe wrong about the whole thing however...feel free to correct me.

-James Seng
Previous By Date Next
Previous By Thread Next

Current thread: