OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Glftpd privpath bugs... +fix
From: Scott (romracerMAIL.UTEXAS.EDU)
Date: Tue Jun 27 2000 - 22:50:11 CDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

In an attempt to please people and make them feel a little more
'secure' about their sites we have released the latest glFtpD. Its
version 1.21 and you can find them at glftpd.deepwell.com. Currently
only the FBSD4 and Linux versions are posted. Solaris SPARC versions
have been packaged and are being posted soon. Thanks to everyone who
reported this to us and realized that it wasn't really a bug and
definately not something we'd classify as 'exploitable'.

Scott / ROMRacer
Systems Administrator
Brainwave Productions, LLC
romracermail.utexas.edu

- ----- Original Message -----
From: "Raymond Dijkxhoorn" <raymondTHRIJSWIJK.NL>
To: <BUGTRAQSECURITYFOCUS.COM>
Sent: Monday, June 26, 2000 3:54 AM
Subject: [BUGTRAQ] Glftpd privpath bugs... +fix

Hi!

Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with
the
privpath directives....

It will probably be fixed in the comming 1.21b9 but i have included a
quick fix in this one to prevent exploits of this bug. Thanx for
Hoopy for
the quick fix (glftpd dev team).

Problem:

When you know the private dir names on a site, or groupdirs you can
ust
'try' to get in .. and its very easy. If you know the name of
groupdir you
can simply change into it using the completion function on glftpd.

If you have a private dir / group dir:

For example....

/Groups/Mygroup and you have a dir named 'test' there.

you can simply jump to it by typing 'chdir /Groups/Mygroup/t
glftpd does not check if you have the proper rights to see the dir,
it
just hops in there without any problem. So if you try a-9 on the
dirnames
you can see all stuff inside a private dir,, takes some time, but
with a
nice script its not that hard... ;-)

Fix:

Put in the attached fix, instructions are also inside the .c file.
It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if
you're
running <<1.20 then upgrade to the latest version. I'll post a short
note
when the fixed binary is out also....

In the glftpd.conf: cscript cwd pre /bin/leakfix

Bye,
Raymond Dijkxhoorn.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOVl18mPWXRoVmQXVEQLKzACg42xj1akyhP1ZdVOe9jc97GtOZg8AnRWF
sqKozJMZe01R6oQbFD4mOJAC
=R/5e
-----END PGP SIGNATURE-----