[1272] in linux-security and linux-alert archive
Re: [linux-security] safe ftpd's
daemon@ATHENA.MIT.EDU (Alan Cox)
Sat Oct 26 07:43:06 1996
From: Alan Cox <alan@cymru.net>
To: chris@ferret.lmh.ox.ac.uk (Chris Evans)
Date: Fri, 25 Oct 1996 22:43:58 +0100 (BST)
Cc: alan@cymru.net, shmoe@snip.net, rwl@gymnet.com.net,
linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.961025180348.12322B-100000@ferret.lmh.ox.ac.uk> from "Chris Evans" at Oct 25, 96 06:06:55 pm
> > Nope. wu-ftpd has the buggy realpath (remember mount). Also if combined with
> > generic gnu tar the results are disaster ( --rsh-command is a great option)
>
> Alan,
>
> Be more specific. ie.
>
> 1) Does this bug affect wu-ftpd-2.4-academ-BETA-11?
>
> 2) If so, what are the implications? Can local remote/users get root access?
> How? Has an exploit been published? Fixes?
1. Yes
2. With the tar one they can run arbitary binaries if they can upload them.
If not then it its probably fairly safe but they can still write to files
in the anon ftp area
I don't have a realpath() exploit. Im not certain it can be exploited
easily.
The tar one is the bad one, but only affects gnu tar [other tars dont have
the options]
ALan