Bugzilla – Attachment 16170 Details for
Bug 49995
VUL-0: CVE-2004-0148: wuftpd: break chroot
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
IDP Log In
|
Forgot Password
vendor-sec discussion
wuftp.txt (text/plain), 12.38 KB, created by
Thomas Biege
on 2004-02-25 20:36:06 UTC
(
hide
)
Description:
vendor-sec discussion
Filename:
MIME Type:
Creator:
Thomas Biege
Created:
2004-02-25 20:36:06 UTC
Size:
12.38 KB
patch
obsolete
>From mdz@debian.org Wed Feb 25 13:30:41 2004 >Date: Tue, 17 Feb 2004 21:50:11 -0800 >From: Matt Zimmerman <mdz@debian.org> >To: vendor-sec@lst.de >Subject: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >This just came in; I've assigned it CAN-2004-0148. Based on past experience >I have some doubt that we'll hear from the upstream maintainers, but the >submitter says that he contacted them already. > >-- > - mdz > > [ Part 1.2: "Included Message" ] > >Date: Wed, 18 Feb 2004 13:44:25 +1100 >From: Glenn Stewart <glenn_stewart@pacific.net.au> >To: team@security.debian.org >Subject: Security bug in wu-ftpd 2.6.2, users breaking out with chmod > >Hi, > >We are running wu-ftpd 2.6.2-3woody2 under Debian Linux. > >/etc/wu-ftpd/ftpaccess has the line: restricted-gid home > (yes the tested users have the correct GID) > >Users can get around the restriction to their home directory by issuing a >simple chmod command on their home directory. On the next ftp log in, the user >will have '/' as their root directory. > >Cheers, > >Glenn > > >-- >Glenn Stewart / Senior Operations Engineer >Pacific Internet (Australia) Pty Ltd. > >E-mail: glenn_stewart@pacific.net.au >Direct Tel: +61 3 9674 7623 >Mobile: +61 (0) 404 084 303 >Fax: +61 3 9698 4923 >www.pacific.net.au >Level 1, 1 Southbank Boulevard >Southbank VIC 3006 > >Australia / Singapore / Hong Kong / Philippines / India / Thailand / >Malaysia > >Pacific Internet is a Certified Customer Service Organisation under The >International Customer Service Standard ICSS. > >Disclaimer - http://www.pacific.net.au/disclaimer/ > > [ Part 1.3: "Included Message" ] > >Date: Wed, 18 Feb 2004 14:07:36 +1100 >From: Glenn Stewart <glenn_stewart@pacific.net.au> >To: Matt Zimmerman <mdz@debian.org> >Subject: Re: Security bug in wu-ftpd 2.6.2, users breaking out with chmod > >> On Wed, Feb 18, 2004 at 01:44:25PM +1100, Glenn Stewart wrote: >> >> > We are running wu-ftpd 2.6.2-3woody2 under Debian Linux. >> > >> > /etc/wu-ftpd/ftpaccess has the line: restricted-gid home >> > (yes the tested users have the correct GID) >> > >> > Users can get around the restriction to their home directory by issuing a >> > simple chmod command on their home directory. On the next ftp log in, the user >> > will have '/' as their root directory. >> >> Thanks for notifying us. Did you discover this problem? Has anyone else >> been notified? Is it OK to share this information with other vendors who >> may distribute wu-ftpd? >> >> What chmod command specifically? Is the idea to deny the user permission to >> enter their own home directory, causing a fallback to '/'? >> >> -- >> - mdz > >I discovered the problem quite recently. > >I have notified the wuftpd developers and no one else. > >Feel free to share this information with other vendors, although it is >probably best to keep it from public view for the time being. > >The idea is 'to deny the user permission to enter their own home directory, >causing a fallback'. The below example should clarify. > >---- >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> cd .. >550 Permission denied on server. You are restricted to your account. >ftp> pwd >257 "/" is current directory. >ftp> ls >200 PORT command successful. >150 Opening ASCII mode data connection for /bin/ls. >total 4 >drwx--x--x 2 xxx_xxxx home 4096 May 22 2002 public_html >226 Transfer complete. >ftp> chmod 0 . >200 CHMOD command successful. >ftp> quit > >... re-login ... > >Remote system type is UNIX. >Using binary mode to transfer files. >ftp> ls >200 PORT command successful. >150 Opening ASCII mode data connection for /bin/ls. >total 64 >drwxr-xr-x 2 root root 2048 Nov 23 14:42 bin >drwxr-xr-x 2 root root 1024 Jan 8 15:29 boot >drwxr-xr-x 2 root root 1024 Dec 1 2000 cdrom >...etc... > >Cheers, > >Glenn > >-- >Glenn Stewart / Senior Operations Engineer >Pacific Internet (Australia) Pty Ltd. > >E-mail: glenn_stewart@pacific.net.au >Direct Tel: +61 3 9674 7623 >Mobile: +61 (0) 404 084 303 >Fax: +61 3 9698 4923 >www.pacific.net.au >Level 1, 1 Southbank Boulevard >Southbank VIC 3006 > >Australia / Singapore / Hong Kong / Philippines / India / Thailand / >Malaysia > >Pacific Internet is a Certified Customer Service Organisation under The >International Customer Service Standard ICSS. > >Disclaimer - http://www.pacific.net.au/disclaimer/ > > [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] > [ Unable to print this part. ] > > >From trini@mvista.com Wed Feb 25 13:30:44 2004 >Date: Tue, 24 Feb 2004 10:55:48 -0700 >From: Tom Rini <trini@mvista.com> >To: vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 17, 2004 at 09:50:11PM -0800, Matt Zimmerman wrote: > >> This just came in; I've assigned it CAN-2004-0148. Based on past experience >> I have some doubt that we'll hear from the upstream maintainers, but the >> submitter says that he contacted them already. > >Is there a patch for this issue yet? Thanks. > >-- >Tom > > [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] > [ Unable to print this part. ] > > >From mdz@debian.org Wed Feb 25 13:30:49 2004 >Date: Tue, 24 Feb 2004 13:09:58 -0800 >From: Matt Zimmerman <mdz@debian.org> >To: Tom Rini <trini@mvista.com> >Cc: vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 24, 2004 at 10:55:48AM -0700, Tom Rini wrote: > >> On Tue, Feb 17, 2004 at 09:50:11PM -0800, Matt Zimmerman wrote: >> >> > This just came in; I've assigned it CAN-2004-0148. Based on past experience >> > I have some doubt that we'll hear from the upstream maintainers, but the >> > submitter says that he contacted them already. >> >> Is there a patch for this issue yet? Thanks. > >As expected, we haven't heard anything from upstream about it. Here's what >I did, which seems to prevent the attack vector described by the submitter. > >-- > - mdz > > [ Part 1.2, Text/PLAIN 28 lines. ] > [ Unable to print this part. ] > > > [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] > [ Unable to print this part. ] > > >From trini@mvista.com Wed Feb 25 13:31:57 2004 >Date: Tue, 24 Feb 2004 15:01:57 -0700 >From: Tom Rini <trini@mvista.com> >To: vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 24, 2004 at 01:09:58PM -0800, Matt Zimmerman wrote: > >> On Tue, Feb 24, 2004 at 10:55:48AM -0700, Tom Rini wrote: >> >> > On Tue, Feb 17, 2004 at 09:50:11PM -0800, Matt Zimmerman wrote: >> > >> > > This just came in; I've assigned it CAN-2004-0148. Based on past experience >> > > I have some doubt that we'll hear from the upstream maintainers, but the >> > > submitter says that he contacted them already. >> > >> > Is there a patch for this issue yet? Thanks. >> >> As expected, we haven't heard anything from upstream about it. Here's what >> I did, which seems to prevent the attack vector described by the submitter. > >Thanks. Is there a disclosure date for this yet (or an idea of when one >might be)? > >-- >Tom > > [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] > [ Unable to print this part. ] > > >From mdz@debian.org Wed Feb 25 13:32:05 2004 >Date: Tue, 24 Feb 2004 14:22:53 -0800 >From: Matt Zimmerman <mdz@debian.org> >To: Tom Rini <trini@mvista.com> >Cc: vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 24, 2004 at 03:01:57PM -0700, Tom Rini wrote: > >> On Tue, Feb 24, 2004 at 01:09:58PM -0800, Matt Zimmerman wrote: >> >> > On Tue, Feb 24, 2004 at 10:55:48AM -0700, Tom Rini wrote: >> > >> > > On Tue, Feb 17, 2004 at 09:50:11PM -0800, Matt Zimmerman wrote: >> > > >> > > > This just came in; I've assigned it CAN-2004-0148. Based on past experience >> > > > I have some doubt that we'll hear from the upstream maintainers, but the >> > > > submitter says that he contacted them already. >> > > >> > > Is there a patch for this issue yet? Thanks. >> > >> > As expected, we haven't heard anything from upstream about it. Here's what >> > I did, which seems to prevent the attack vector described by the submitter. >> >> Thanks. Is there a disclosure date for this yet (or an idea of when one >> might be)? > >No one has spoken up asking for time as yet; if no one does, I suppose we'll >release when our update is ready. > >-- > - mdz >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec > >From mhatle@mvista.com Wed Feb 25 13:32:10 2004 >Date: Tue, 24 Feb 2004 17:50:06 -0600 >From: Mark Hatle <mhatle@mvista.com> >To: Matt Zimmerman <mdz@debian.org> >Cc: Tom Rini <trini@mvista.com>, vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >Matt Zimmerman wrote: >>> >>>Thanks. Is there a disclosure date for this yet (or an idea of when one >>>might be)? >> >> >> No one has spoken up asking for time as yet; if no one does, I suppose we'll >> release when our update is ready. >> > >We definatly would like to coordinate this with you. Let us know of a >time frame you are thinking of and we'll be ready. (within reason of >course) <grin> > >--Mark > >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec > >From mdz@debian.org Wed Feb 25 13:32:14 2004 >Date: Tue, 24 Feb 2004 15:53:11 -0800 >From: Matt Zimmerman <mdz@debian.org> >To: Mark Hatle <mhatle@mvista.com> >Cc: Tom Rini <trini@mvista.com>, vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 24, 2004 at 05:50:06PM -0600, Mark Hatle wrote: > >> Matt Zimmerman wrote: >> >> >> >>Thanks. Is there a disclosure date for this yet (or an idea of when one >> >>might be)? >> > >> > >> >No one has spoken up asking for time as yet; if no one does, I suppose >> >we'll >> >release when our update is ready. >> > >> >> We definatly would like to coordinate this with you. Let us know of a >> time frame you are thinking of and we'll be ready. (within reason of >> course) <grin> > >How about two weeks from today, 2004-03-08? > >-- > - mdz >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec > >From mdz@debian.org Wed Feb 25 13:32:20 2004 >Date: Tue, 24 Feb 2004 15:54:10 -0800 >From: Matt Zimmerman <mdz@debian.org> >To: Mark Hatle <mhatle@mvista.com>, Tom Rini <trini@mvista.com>, > vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 24, 2004 at 03:53:11PM -0800, Matt Zimmerman wrote: > >> On Tue, Feb 24, 2004 at 05:50:06PM -0600, Mark Hatle wrote: >> >> > Matt Zimmerman wrote: >> > >> >> > >>Thanks. Is there a disclosure date for this yet (or an idea of when one >> > >>might be)? >> > > >> > > >> > >No one has spoken up asking for time as yet; if no one does, I suppose >> > >we'll >> > >release when our update is ready. >> > > >> > >> > We definatly would like to coordinate this with you. Let us know of a >> > time frame you are thinking of and we'll be ready. (within reason of >> > course) <grin> >> >> How about two weeks from today, 2004-03-08? > ><peering at calendar> > >that's a day less than two weeks from today; disregard the first half of >that sentence. > >-- > - mdz >_______________________________________________ >Vendor Security mailing list >Vendor Security@lst.de >https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec > >From trini@mvista.com Wed Feb 25 13:32:26 2004 >Date: Tue, 24 Feb 2004 16:59:22 -0700 >From: Tom Rini <trini@mvista.com> >To: Mark Hatle <mhatle@mvista.com>, vendor-sec@lst.de >Subject: Re: [vendor-sec] [Security bug in wu-ftpd 2.6.2, > users breaking out with chmod] > >On Tue, Feb 24, 2004 at 03:53:11PM -0800, Matt Zimmerman wrote: > >> On Tue, Feb 24, 2004 at 05:50:06PM -0600, Mark Hatle wrote: >> >> > Matt Zimmerman wrote: >> > >> >> > >>Thanks. Is there a disclosure date for this yet (or an idea of when one >> > >>might be)? >> > > >> > > >> > >No one has spoken up asking for time as yet; if no one does, I suppose >> > >we'll >> > >release when our update is ready. >> > > >> > >> > We definatly would like to coordinate this with you. Let us know of a >> > time frame you are thinking of and we'll be ready. (within reason of >> > course) <grin> >> >> How about two weeks from today, 2004-03-08? > >OK, that works for us. > >-- >Tom > > [ Part 2, "Digital signature" Application/PGP-SIGNATURE 196bytes. ] > [ Unable to print this part. ] >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16170">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 49995
: 16170 |
16171
|
16202