[12274] in bugtraq
Re: mirror 2.9 hole
daemon@ATHENA.MIT.EDU (Stefan Kelm)
Tue Oct 19 15:17:23 1999
Message-Id: <199910191523.RAA15824@procert.cert.dfn.de>
Date: Tue, 19 Oct 1999 17:23:35 +0200
Reply-To: Stefan Kelm <kelm@PCA.DFN.DE>
From: Stefan Kelm <kelm@PCA.DFN.DE>
X-To: wise@tomcat.ru
To: BUGTRAQ@SECURITYFOCUS.COM
> mirror is a Perl script which is widely used for making copy of remote
> FTP site. It's included in FreeBSD packages. There are security holes,
> which allows overwrite local files from remote ftp site with
> permissions of the user who uses mirror. Then retrieving directory
> listing mirror doesn't check filename or directory name to contain
> ".." or "\" This allows to create or overwrite files in directory
> different from destination.
>
> To simply test this bug you can create " .." directory on your ftp
> site and mirror your site. Mirror will create temporary files in
> directory one level higher then specifyed. This way you couldn't
> overwrite some useful information, but this may be used, for example,
> to fill out / directory (if mirror is ran from root).
>
> But with putting little changes into you ftpd (for example making him
> change '\' to '/' on listings) you can force mirror to overwrite _any_
> file with permissions of mirror user then he mirrors your ftp site.
>
>
> Tested with:
> $ mirror -v
> $Id: mirror.pl,v 2.9 1998/05/29 19:01:07 lmjm Exp lmjm $
I can confirm the behaviour you describe for mirror.pl,v 2.8 running on
solaris although I wasn't able to create any temporary files by using a
"\" in either the file names or the directory names.
However, the default mirror configuration shows the following part:
# Don't touch anything whose name begins with a space!
exclude_patt=(^|/)(.mirror$|.in..*.$|MIRROR.LOG|#.*#|.FSP|.cache|.zipped|lost+found/| )
(you might want to quote the space character at the end)
Even the man page recommends using the line above. Be careful not to
overwrite the keyword exclude_patt in your own mirror files. If you do
have to use exclude_patt be sure to specify somethink like:
exclude_patt+|^blah/| (note the "+" sign!)
This should not allow temporary files to be created through " ..". At
least it didn't on my system. :-)
Cheers,
Stefan.
______________________________________________________________________________
Stefan Kelm PGP key: "finger kelm@www.pca.dfn.de" or via key server
DFN-PCA <kelm@pca.dfn.de>
Vogt-Koelln-Str. 30 http://www.pca.dfn.de/~kelm/
22527 Hamburg (Germany) Tel: +49 40 428 83-2262 / Fax: -2241
