Re: mirror 2.9 hole

[lists () MISTY EUNET PT (jcp)]

version stats:
$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $

 The author of mirror, Lee McLoughlin, had this to say:

...
<QUOTE>
Anyhow.  A simple fix to overcome this problem is to add the following to your
mirror.defaults
(and to any package that overrides this setting):

name_mappings=s:\.\./:__/:g

This should convert names like:
    " ../rot"
to
    " __/rot"

BUT I'VE NOT TESTED THIS!
</QUOTE>
...

I also didn't test this.I did make a quick patch to the mirror.pl script
to warn/log about attempts. Patch included.

regards

--
Jose' Carlos Pereira

On Tue, 19 Oct 1999, Stefan Kelm wrote:

[snip]

> I can confirm the behaviour you describe for mirror.pl,v 2.8 running on
> solaris although I wasn't able to create any temporary files by using a
> "\" in either the file names or the directory names.
>
> However, the default mirror configuration shows the following part:
>
>   # Don't touch anything whose name begins with a space!
>   exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| )
>
> (you might want to quote the space character at the end)
>
> Even the man page recommends using the line above. Be careful not to
> overwrite the keyword exclude_patt in your own mirror files. If you do
> have to use exclude_patt be sure to specify somethink like:
>
>   exclude_patt+|^blah/|             (note the "+" sign!)
>
> This should not allow temporary files to be created through " ..". At
> least it didn't on my system.  :-)
>
> Cheers,
>
>         Stefan.


*** mirror.pl   Mon Jun  8 11:55:27 1998
--- /usr/local/mirror2.9/mirror Wed Sep 29 16:34:01 1999
***************
*** 2657,2662 ****
--- 2657,2701 ----
        $no_rename = (! $remote_has_rename) || ($remote_fs eq 'macos' && ! $get_file);
  
        foreach $src_path ( @xfer_src ){
+ 
+ ##
+ #BEGIN jcp () EUnet pt 1999/09/29
+ #
+ #Date: Tue, 28 Sep 1999 18:27:54 +0400
+ #From: 3APA3A <wise () tomcat ru>
+ #To: BUGTRAQ () SECURITYFOCUS COM
+ #Subject: mirror 2.9 hole
+ #
+ #Hello BUGTRAQ () SECURITYFOCUS COM,
+ #
+ #mirror is a Perl script which is widely used for making copy of remote
+ #FTP site. It's included in FreeBSD packages. There are security holes,
+ #which   allows  overwrite  local  files  from  remote  ftp  site  with
+ #permissions  of  the  user  who uses mirror. Then retrieving directory
+ #listing  mirror  doesn't  check  filename or directory name to contain
+ #".."  or  "\"  This  allows  to create or overwrite files in directory
+ #different from destination.
+ #
+ #To  simply  test  this  bug you can create " .." directory on your ftp
+ #site  and  mirror  your  site.  Mirror  will create temporary files in
+ #directory  one  level  higher  then  specifyed.  This way you couldn't
+ #overwrite  some useful information, but this may be used, for example,
+ #to fill out / directory (if mirror is ran from root).
+ #
+ #But  with putting little changes into you ftpd (for example making him
+ #change '\' to '/' on listings) you can force mirror to overwrite _any_
+ #file with permissions of mirror user then he mirrors your ftp site.
+ #
+ #
+ #Tested with:
+ #$ mirror -v
+ #$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $
+ 
+               if( $src_path =~ /\w*\.\.\//){
+                         &msg( $log, "WARNING: BAD dir detected, skipping: $src_path\n" );
+                       next;
+               }
+ #END jcp () EUnet pt
                if( $get_file ){
                        $srci = $remote_map{ $src_path };
                }