Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)

"donparanoia.com"

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Casper Dik: "Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"
• Previous message: Jeremy Fitzhardinge: "Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"
• Maybe in reply to: Henri Karrenbeld: "Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"
• Next in thread: Joerg Czeranski: "Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"

>
> That is true,...however I've also tried to:
>
> 1) access a 'link' to /etc/shadow this way, and I could read the file.
> 2) overwrite /var/adm/xferlog this way ( echo "This file is hacked" > )
>    (with a '>' not '>>') and what it did, it appended to the file,
>    which looks weird because I specified that I wanted to overwrite;
>    maybe, if someone explains to us how this actually works in the /proc
>    filesystem, this isn't so strange?

Not strange at all.  The "link" under /proc/x/fd is a link directly to
the file descriptor, not the file.  So if the file was opened with, e.g.
open( "file", O_WRONLY|O_APPEND ), as most log files are, the file
pointer will be positioned at the end of the file before each write() --
regardless of whether you used '>' or '>>'.

So even if you can write to ftpd's xferlog, you can't overwrite data that
has already been written there.

--
Michael E. Glasgow     --     donparanoia.com
                              http://www.paranoia.com/

• Next message: Casper Dik: "Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"
• Previous message: Jeremy Fitzhardinge: "Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"
• Maybe in reply to: Henri Karrenbeld: "Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"
• Next in thread: Joerg Czeranski: "Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)"