Re: mirror 2.9 hole

From: Stefan Kelm (kelmat_private)
Date: Tue Oct 19 1999 - 08:23:35 PDT

Next message: Elias Levy: "Re: Email virus on the prowel"

Previous message: Albert Hopkins: "Email virus on the prowel"
Next in thread: jcp: "Re: mirror 2.9 hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> mirror is a Perl script which is widely used for making copy of remote
> FTP site. It's included in FreeBSD packages. There are security holes,
> which   allows  overwrite  local  files  from  remote  ftp  site  with
> permissions  of  the  user  who uses mirror. Then retrieving directory
> listing  mirror  doesn't  check  filename or directory name to contain
> ".."  or  "\"  This  allows  to create or overwrite files in directory
> different from destination.
>
> To  simply  test  this  bug you can create " .." directory on your ftp
> site  and  mirror  your  site.  Mirror  will create temporary files in
> directory  one  level  higher  then  specifyed.  This way you couldn't
> overwrite  some useful information, but this may be used, for example,
> to fill out / directory (if mirror is ran from root).
>
> But  with putting little changes into you ftpd (for example making him
> change '\' to '/' on listings) you can force mirror to overwrite _any_
> file with permissions of mirror user then he mirrors your ftp site.
>
>
> Tested with:
> $ mirror -v
> $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $

I can confirm the behaviour you describe for mirror.pl,v 2.8 running on
solaris although I wasn't able to create any temporary files by using a
"\" in either the file names or the directory names.

However, the default mirror configuration shows the following part:

  # Don't touch anything whose name begins with a space!
  exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| )

(you might want to quote the space character at the end)

Even the man page recommends using the line above. Be careful not to
overwrite the keyword exclude_patt in your own mirror files. If you do
have to use exclude_patt be sure to specify somethink like:

  exclude_patt+|^blah/|             (note the "+" sign!)

This should not allow temporary files to be created through " ..". At
least it didn't on my system.  :-)

Cheers,

        Stefan.

______________________________________________________________________________
Stefan Kelm            PGP key: "finger kelmat_private" or via key server
DFN-PCA                                                      <kelmat_private>
Vogt-Koelln-Str. 30                               http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany)                   Tel: +49 40 428 83-2262 / Fax: -2241

Next message: Elias Levy: "Re: Email virus on the prowel"
Previous message: Albert Hopkins: "Email virus on the prowel"
Next in thread: jcp: "Re: mirror 2.9 hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:08:00 PDT