|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Przemyslaw Frasunek (przemyslaw
frasunek.com)
Date: Tue Aug 10 2010 - 04:45:13 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> What I found especially worrying is that this user-supplied untrustable
> file is being parsed and processed by various daemons and other
> login mechanisms BEFORE permanently dropping root privileges. Unless
> there is a very strong reason, which I am overlooking, to do so, I
> find this design very flawed.
This seems to be incorrect for both ftpd and sshd on 6.4-RELEASE.
41673 sshd CALL setuid(0xbb8)
41673 sshd RET setuid 0
41673 sshd CALL seteuid(0xbb8)
41673 sshd RET seteuid 0
41673 sshd NAMI "/home/venglin/.login_conf"
41673 sshd NAMI "/home/venglin/.login_conf.db"
41673 sshd NAMI "/home/venglin/.login_conf.db"
41513 ftpd CALL seteuid(0xbb8)
41513 ftpd RET seteuid 0
41513 ftpd NAMI "/home/venglin/.login_conf"
41513 ftpd NAMI "/home/venglin/.login_conf.db"
41513 ftpd NAMI "/home/venglin/.login_conf.db"
Back in 2001 I found a very similar vulnerability in 4.4-RELEASE, which allowed
to read any file in system with root privileges:
http://marc.info/?l=bugtraq&m=100101802423376&w=2
Since then, elevated privileges are dropped before parsing login_conf.
--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com ** NICHDL: PMF9-RIPE *
* Jabber ID: venglinnette.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ5JIV *
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]