NetBSD ftpchroot Parsing Vulnerability
BID:1273
Info
NetBSD ftpchroot Parsing Vulnerability
| Bugtraq ID: | 1273 |
| Class: | Design Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | May 28 2000 12:00AM |
| Updated: | May 28 2000 12:00AM |
| Credit: | First published in NetBSD Security Advisory NetBSD-SA2000-006 published on May 28, 2000. |
| Vulnerable: |
NetBSD NetBSD 1.4.2 x86 NetBSD NetBSD 1.4.2 SPARC NetBSD NetBSD 1.4.2 arm32 NetBSD NetBSD 1.4.2 Alpha |
| Not Vulnerable: | |
Discussion
NetBSD ftpchroot Parsing Vulnerability
In NetBSD 1.4.2 there exists an ftpd vulnerability which prevents /etc/ftpchroot from being used properly to chroot() specific users. chroot() is a system call that changes the root directory of a process, it is used to prevent access of a process outside of a certain subdirectory tree in a filesystem. /etc/ftpchroot is a file that lists users who are to be chroot()ed in their home directories by the ftp daemon, meaning they can only access the directory tree below their homedir. Unfortunately, what was meant to be a fix in other code caused a parsing error that resulted in /etc/ftpchroot not being interpreted properly and thus not restricting the access of the users.
In NetBSD 1.4.2 there exists an ftpd vulnerability which prevents /etc/ftpchroot from being used properly to chroot() specific users. chroot() is a system call that changes the root directory of a process, it is used to prevent access of a process outside of a certain subdirectory tree in a filesystem. /etc/ftpchroot is a file that lists users who are to be chroot()ed in their home directories by the ftp daemon, meaning they can only access the directory tree below their homedir. Unfortunately, what was meant to be a fix in other code caused a parsing error that resulted in /etc/ftpchroot not being interpreted properly and thus not restricting the access of the users.
Exploit / POC
NetBSD ftpchroot Parsing Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
NetBSD ftpchroot Parsing Vulnerability
Solution:
From the advisory:
This problem affects only NetBSD-1.4.2 and versions of NetBSD-current
between 19990930 and 19991212; it does not affect NetBSD-1.4.1 or
earlier, or versions of NetBSD-current after 19991212 or before 19990930.
If you do not need to use /etc/ftpchroot, you do not need to take any
action.
If you're running NetBSD-current fetched between the above dates,
update to a newer version of NetBSD-current.
If you're runing NetBSD-1.4.2, fetch the following patch, apply it to
src/libexec/ftpd/ftpd.c using the patch(1) command, rebuild and
reinstall ftpd, and kill off any existing FTP daemons (to ensure that
any improperly granted access is revoked).
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000527-ftpd
Since the patch is small, it is reproduced inline here:
*** ftpd.c 1999/10/01 12:08:06 1.61.2.1
- --- ftpd.c 2000/05/11 10:14:37 1.61.2.2
***************
*** 489,496 ****
if (glob == NULL || glob[0] == '#')
continue;
perm = strtok(NULL, " \t\n");
- - if (perm == NULL)
- - continue;
if (fnmatch(glob, name, 0) == 0) {
if (perm != NULL &&
((strcasecmp(perm, "allow") == 0) ||
- --- 489,494 ----
Solution:
From the advisory:
This problem affects only NetBSD-1.4.2 and versions of NetBSD-current
between 19990930 and 19991212; it does not affect NetBSD-1.4.1 or
earlier, or versions of NetBSD-current after 19991212 or before 19990930.
If you do not need to use /etc/ftpchroot, you do not need to take any
action.
If you're running NetBSD-current fetched between the above dates,
update to a newer version of NetBSD-current.
If you're runing NetBSD-1.4.2, fetch the following patch, apply it to
src/libexec/ftpd/ftpd.c using the patch(1) command, rebuild and
reinstall ftpd, and kill off any existing FTP daemons (to ensure that
any improperly granted access is revoked).
ftp://ftp.NetBSD.ORG/pub/NetBSD/misc/security/patches/20000527-ftpd
Since the patch is small, it is reproduced inline here:
*** ftpd.c 1999/10/01 12:08:06 1.61.2.1
- --- ftpd.c 2000/05/11 10:14:37 1.61.2.2
***************
*** 489,496 ****
if (glob == NULL || glob[0] == '#')
continue;
perm = strtok(NULL, " \t\n");
- - if (perm == NULL)
- - continue;
if (fnmatch(glob, name, 0) == 0) {
if (perm != NULL &&
((strcasecmp(perm, "allow") == 0) ||
- --- 489,494 ----