Re: [suse-security] ftpd
-----Ursprüngliche Nachricht----- Von: Sebastian Seitz <sebastian.seitz@berlin.snafu.de> An: Security Webmaster OKDesign oHG <security@okdesign.de> Cc: SuSE-Security-List <suse-security@suse.com> Datum: Sonntag, 30. Januar 2000 04:41 Betreff: Re: [suse-security] ftpd
first of all, chroot is crap. every idiots exploids breaks it. second thing: you remembered about ls and its libaries... ? :P
Hi, chroot'ing anonymous logins is standard behaviour of wu.ftpd distributed with SuSE (at least AFAIK), so "ls and its libraries" and all the other necessary commands are working fine. and about the security-level of chroot: well, maybe there are enough folks around being able to break it. But at least its a little bit of security stopping the not-so-experienced users. And even the experienced ones would need a little of time to break it. I won't have anything really valuable on the server, so why should anyone make afforts to break it ? BTW, what has this to do with my question ? --- Stephan
Hi, chroot'ing anonymous logins is standard behaviour of wu.ftpd distributed with SuSE (at least AFAIK), so "ls and its libraries" and all the other necessary commands are working fine. and about the security-level of chroot: well, maybe there are enough folks around being able to break it. But at least its a little bit of security stopping the not-so-experienced users. And even the experienced ones would need a little of time to break it. I won't have anything really valuable on the server, so why should anyone make afforts to break it ?
Thats crap. Im able to break chroot with >10 lines of code in the sploid. Second thing: you have to put ls ins /usr/local/ftp/bin too and its needet libaries in /usr/local/ftp/lib...
BTW, what has this to do with my question ?
Im trying to help you. Sebastian -- email: sebastian@seitz.cc phone: 49-(0)700-27011979, fax: 49-(0)40-43272831 web: http://www.seitz.cc, http://www.uni-humbug.de anything else: http://www.seitz.cc/newsgroups
* Sebastian Seitz wrote on Sun, Jan 30, 2000 at 21:52 +0100:
stopping the not-so-experienced users. And even the experienced ones would need a little of time to break it. I won't have anything really valuable on
Thats crap. Im able to break chroot with >10 lines of code in the sploid. Second thing: you have to put ls ins /usr/local/ftp/bin too and its needet libaries in /usr/local/ftp/lib...
Is that that easy? I'm surprised! (But what means "sploid"?) Do you say, that you can break a chroot'ed anonymous FTP Server with a little piece of code? How should that work? I though, the kernel offers defnitly no chanche for a process, to break a chroot? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Mon, 31 Jan 2000, Steffen Dettmer wrote:
* Sebastian Seitz wrote on Sun, Jan 30, 2000 at 21:52 +0100:
stopping the not-so-experienced users. And even the experienced ones would need a little of time to break it. I won't have anything really valuable on
Thats crap. Im able to break chroot with >10 lines of code in the sploid. Second thing: you have to put ls ins /usr/local/ftp/bin too and its needet libaries in /usr/local/ftp/lib...
Is that that easy? I'm surprised! (But what means "sploid"?) I think he meant exploit.
Do you say, that you can break a chroot'ed anonymous FTP Server with a little piece of code? How should that work? I though, the kernel offers defnitly no chanche for a process, to break a chroot? The usual exploit is a buffer overrun that-- for lack of a better term-- hijacks the ftpd process and executes shell code as that processes UID and whatnot; since ftpd runs on port 21, it generally is run as root. Although i'm a lousy programmer, I think that the "break chroot" is more of a condition of a faulty anonymous ftpd setup than an inherent flaw in chroot(), which will only work as long as the program doesn't get buffer overran.
dan
On 31-Jan-2000 Emmerich Eggler wrote:
Sebastian Seitz wrote:
Thats crap. Im able to break chroot with >10 lines of code in the sploid.
I'm curious to see these ten or so lines.
take a look at them.. p.e. at: http://www.bpfh.net/simes/computing/chroot-break.html Sebastian Seitz mail: sebastian@seitz.cc phone: 49-(0)700-27011979, fax: 49-(0)40-43272831 web: http://www.seitz.cc, http://www.uni-humbug.de anything else: http://www.seitz.cc/newsgroups
Hi, On Mon, 31 Jan 2000, Sebastian Seitz wrote:
On 31-Jan-2000 Emmerich Eggler wrote:
Sebastian Seitz wrote:
Thats crap. Im able to break chroot with >10 lines of code in the sploid.
I'm curious to see these ten or so lines.
take a look at them.. p.e. at: http://www.bpfh.net/simes/computing/chroot-break.html
he uses chroot() and so must have UID 0. this is just one way to break chroot'ed env. w/ having UID 0.
Sebastian Seitz
mail: sebastian@seitz.cc phone: 49-(0)700-27011979, fax: 49-(0)40-43272831 web: http://www.seitz.cc, http://www.uni-humbug.de anything else: http://www.seitz.cc/newsgroups
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
Hi,
Thats crap. Im able to break chroot with >10 lines of code in the sploid.
If you are able to execute code before the chroot() or as root in the chroot environment you are able to break out of chroot'ed dirs. Every chroot howto does tell you that chroot() isn't immune against UID 0. Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
participants (6)
-
Daniel L. Donahue -
Emmerich Eggler -
Sebastian Seitz -
Security Webmaster OKDesign oHG -
Steffen Dettmer -
Thomas Biege