[12041] in bugtraq
mirror 2.9 hole
daemon@ATHENA.MIT.EDU (3APA3A)
Tue Sep 28 17:19:40 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 8bit
Message-Id: <15769.990928@tomcat.ru>
Date: Tue, 28 Sep 1999 18:27:54 +0400
Reply-To: Wise Cat <wise@tomcat.ru>
From: 3APA3A <wise@TOMCAT.RU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Hello BUGTRAQ@SECURITYFOCUS.COM,
mirror is a Perl script which is widely used for making copy of remote
FTP site. It's included in FreeBSD packages. There are security holes,
which allows overwrite local files from remote ftp site with
permissions of the user who uses mirror. Then retrieving directory
listing mirror doesn't check filename or directory name to contain
".." or "\" This allows to create or overwrite files in directory
different from destination.
To simply test this bug you can create " .." directory on your ftp
site and mirror your site. Mirror will create temporary files in
directory one level higher then specifyed. This way you couldn't
overwrite some useful information, but this may be used, for example,
to fill out / directory (if mirror is ran from root).
But with putting little changes into you ftpd (for example making him
change '\' to '/' on listings) you can force mirror to overwrite _any_
file with permissions of mirror user then he mirrors your ftp site.
Tested with:
$ mirror -v
$Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $
/\_/\
{ . . } |\
+--oQQo->{ ^ }<-----+ \
|zDESX BYL U u^ENYJ kOT}
+-------------o66o--+ /
|/
oSOBU@ PROBLEMU SOSTAWLQET ALKOGOLIZM. (lEM)
