[2038] in bugtraq
Re: Security Problem ftpd (includes wu.ftpd 2.4 and 2.4.2 beta 4)
daemon@ATHENA.MIT.EDU (don@paranoia.com)
Thu Jul 13 10:46:28 1995
Date: Thu, 13 Jul 1995 03:19:54 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: "don@paranoia.com" <don@paranoia.com>
X-To: bugtraq@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
>
> That is true,...however I've also tried to:
>
> 1) access a 'link' to /etc/shadow this way, and I could read the file.
> 2) overwrite /var/adm/xferlog this way ( echo "This file is hacked" > )
> (with a '>' not '>>') and what it did, it appended to the file,
> which looks weird because I specified that I wanted to overwrite;
> maybe, if someone explains to us how this actually works in the /proc
> filesystem, this isn't so strange?
Not strange at all. The "link" under /proc/x/fd is a link directly to
the file descriptor, not the file. So if the file was opened with, e.g.
open( "file", O_WRONLY|O_APPEND ), as most log files are, the file
pointer will be positioned at the end of the file before each write() --
regardless of whether you used '>' or '>>'.
So even if you can write to ftpd's xferlog, you can't overwrite data that
has already been written there.
--
Michael E. Glasgow -- don@paranoia.com
http://www.paranoia.com/
