Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)

From: Peter van Dijk (peterat_private)
Date: Wed Apr 18 2001 - 12:11:39 PDT

Next message: MegaZone: "Re: qDefense Advisory: DCForum allows remote read/write/execute"

Previous message: Paul Starzetz: "VMware symlink problems"
In reply to: Bill Sommerfeld: "Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Next in thread: Chris Evans: "Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 18, 2001 at 10:01:51AM -0400, Bill Sommerfeld wrote:
>   seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
>   chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
>     chdir("..");
>   chroot(".."); execve("/bin//sh", ..);
>
> For the record, I blocked this way of breaking out of chroot in NetBSD
> in 1999; the fix is present in NetBSD 1.4 and later releases.  I'm
> surprised that this hasn't been picked up by more distributions.

On FreeBSD, the kern.chroot_allow_open_directories sysctl should be
able to prevent this trick. If disabled (set to zero), it makes chroot
fail if any directories are open. If enabled (set to one, the
default), it makes chroot fail if any directories are open and a
chroot call is already in effect. (any other value disables all
checks).

Looks to me like FreeBSD isn't vulnerable to this trick either, then.

Greetz, Peter.

Next message: MegaZone: "Re: qDefense Advisory: DCForum allows remote read/write/execute"
Previous message: Paul Starzetz: "VMware symlink problems"
In reply to: Bill Sommerfeld: "Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Next in thread: Chris Evans: "Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 10:56:49 PDT