[20321] in bugtraq
Re: OpenBSD 2.8 ftpd/glob exploit (breaks chroot)
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Apr 19 15:34:20 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0104182312170.1102-100000@nimue.bos.bindview.com>
Date: Wed, 18 Apr 2001 23:22:38 -0400
Reply-To: Michal Zalewski <lcamtuf@BOS.BINDVIEW.COM>
From: Michal Zalewski <lcamtuf@BOS.BINDVIEW.COM>
X-To: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104181401.f3IE1tP03684@syn.hamachi.org>
On Wed, 18 Apr 2001, Bill Sommerfeld wrote:
> For the record, I blocked this way of breaking out of chroot in NetBSD
> in 1999; the fix is present in NetBSD 1.4 and later releases. I'm
> surprised that this hasn't been picked up by more distributions.
That would not decrease possible damage caused by this kind of remote root
vulnerability in typical system, where it is possible to attach to
processes running outside chroot via ptrace and execute mailicious code in
non-chrooted environment, as well as do other tricks - module loading,
creating / acessing special devices, etc. Security improvement would be
visible only on systems where all other possibly dangerous operations are
not available to superuser (rare configuration). But, in genral, this is a
tricky business, and having chrooted attacker with superuser privledges on
your system should make you feel safe, anyway.
--
_______________________________________________________
Michal Zalewski [lcamtuf@bos.bindview.com] | [security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=
