Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)
From: aleph1 () dfw net (Aleph One)
Date: Thu, 13 Jul 1995 11:58:54 -0500

Aleph One / aleph1 () dfw net

On Wed, 12 Jul 1995, Henri Karrenbeld wrote:

1) access a 'link' to /etc/shadow this way, and I could read the file.
2) overwrite /var/adm/xferlog this way ( echo "This file is hacked" > )
   (with a '>' not '>>') and what it did, it appended to the file,
   which looks weird because I specified that I wanted to overwrite;
   maybe, if someone explains to us how this actually works in the /proc
   filesystem, this isn't so strange?

The reason it doesnt overwrite and it appends is because you are not
reopening the file, you are using an already open file, that was probably
opened in append only mode.

Of course, we've also tried this. However, we were not able to overwrite
the file with our own program, but we assumed this was because the binary
was 'busy', being executed (have you ever tried stripping an executable
that was running, for example?)

Nope again the reason is because this is an already open file that was
opened read only, so you cant write to a read only file descriptor.

Well, _I_ might be wrong about the whole thing too, however the things
mentioned at (1) and (2) _did_ work on 5 systems that we tried it on
(1 system with /etc/shadow (wu.ftpd 2.4), 3 systems with /usr/adm/xferlog
(wu.ftpd 2.4) and 1 system with /var/adm/wtmp (wu.ftpd 2.4.2 beta4))
so there is definately _some_ security problem on _our_ machines.

Upgrade to 1.2.11 and to 1.2.12 when it comes out.

$) Henri Karrenbeld

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]