Bugtraq mailing list archives
Re: Glftpd privpath bugs... +fix
From: romracer () MAIL UTEXAS EDU (Scott)
Date: Tue, 27 Jun 2000 22:50:11 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In an attempt to please people and make them feel a little more 'secure' about their sites we have released the latest glFtpD. Its version 1.21 and you can find them at glftpd.deepwell.com. Currently only the FBSD4 and Linux versions are posted. Solaris SPARC versions have been packaged and are being posted soon. Thanks to everyone who reported this to us and realized that it wasn't really a bug and definately not something we'd classify as 'exploitable'. Scott / ROMRacer Systems Administrator Brainwave Productions, LLC romracer () mail utexas edu - ----- Original Message ----- From: "Raymond Dijkxhoorn" <raymond () THRIJSWIJK NL> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Monday, June 26, 2000 3:54 AM Subject: [BUGTRAQ] Glftpd privpath bugs... +fix Hi! Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with the privpath directives.... It will probably be fixed in the comming 1.21b9 but i have included a quick fix in this one to prevent exploits of this bug. Thanx for Hoopy for the quick fix (glftpd dev team). Problem: When you know the private dir names on a site, or groupdirs you can ust 'try' to get in .. and its very easy. If you know the name of groupdir you can simply change into it using the completion function on glftpd. If you have a private dir / group dir: For example.... /Groups/Mygroup and you have a dir named 'test' there. you can simply jump to it by typing 'chdir /Groups/Mygroup/t glftpd does not check if you have the proper rights to see the dir, it just hops in there without any problem. So if you try a-9 on the dirnames you can see all stuff inside a private dir,, takes some time, but with a nice script its not that hard... ;-) Fix: Put in the attached fix, instructions are also inside the .c file. It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if you're running <<1.20 then upgrade to the latest version. I'll post a short note when the fixed binary is out also.... In the glftpd.conf: cscript cwd pre /bin/leakfix Bye, Raymond Dijkxhoorn. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOVl18mPWXRoVmQXVEQLKzACg42xj1akyhP1ZdVOe9jc97GtOZg8AnRWF sqKozJMZe01R6oQbFD4mOJAC =R/5e -----END PGP SIGNATURE-----
Current thread:
- Sendmail 8.10.2, Linux 2.4.0 - capabilities Valdis Kletnieks (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities xdr (Jun 09)
- format bugs, in addition to the wuftpd bug Lamagra Argamal (Jun 24)
- Re: format bugs, in addition to the wuftpd bug H D Moore (Jun 26)
- iMesh 1.02 vulnerability Blue Panda (Jun 29)
- Re: format bugs, in addition to the wuftpd bug Jason Axley (Jun 29)
- Concerning the LDAP Enabled Netscape FTP Server Alfred Huger (Jun 27)
- Glftpd privpath bugs... +fix Raymond Dijkxhoorn (Jun 26)
- Re: Glftpd privpath bugs... +fix Scott (Jun 27)
- Re: Sendmail 8.10.2, Linux 2.4.0 - capabilities Kyle Sparger (Jun 08)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - kernel Sergio Bruder (Jun 08)
- Sendmail & procmail local root exploits on Linux kernel up to 2.2.16pre5 Wojciech Purczynski (Jun 08)
- OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 09)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Phil Stracchino (Jun 10)
- IBM WebSphere JSP showcode vulnerability stuart.mcclure () FOUNDSTONE COM (Jun 11)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Markus Friedl (Jun 12)
- Using IP Filter to protect FW-1 4.0 (fwd) Darren Reed (Jun 12)
- FreeBSD Security Advisory: FreeBSD-SA-00:25.alpha-dev-random FreeBSD Security Advisories (Jun 12)
- RFPolicy for vulnerability disclosure rain forest puppy (Jun 12)
- Re: OpenSSH's UseLogin option allows remote access with root privilege. Bernhard Rosenkraenzer (Jun 10)