Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1994: Re: chrooted superuser (was wu-ftpd info.)

Re: chrooted superuser (was wu-ftpd info.)

Tom Fitzgerald (fitzwang.com)
Wed, 13 Apr 1994 21:55:11 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Carl Corey: "Re: NFS exporting"
Previous message: Christopher Klaus: "Re: wu-ftpd info."
In reply to: Ken Hardy: "Re: chrooted superuser (was wu-ftpd info.)"

> Assume now that I have a tcp wrapper that does the chroot for ftpd
> _whenever_ it's invoked.  This is true for non-anonymous as well as
> anonyous logins; it happens before the ftpd is ever exec'ed.
> Furthermore, assume that the chrooted-to volume is mounted
> nosuid,nodev.  Can a trojaned ftpd be used to compromise or harm the
> system outside of the ftp hierarchy?

If your ftpd can authenticate users while locked into the chrooted volume,
and you're not using kerberos or something, then user passwords have to be
stored in the chrooted area where ftpd can read them.

USER root
PASS NULL
PORT ....
RETR /etc/shadow    ... or whatever

Now you've got something to start cracking on.  If you add kerberos, I think
that may fix things.

-- 
Tom Fitzgerald   Wang Labs   Lowell MA, USA   1-508-967-5278   fitzwang.com
Pardon me, I'm lost, can you direct me to the information superhighway?

Next message: Carl Corey: "Re: NFS exporting"
Previous message: Christopher Klaus: "Re: wu-ftpd info."
In reply to: Ken Hardy: "Re: chrooted superuser (was wu-ftpd info.)"