Re: wu-ftpd info.

der Mouse (mouse@collatz.mcrcim.mcgill.edu)
Wed, 13 Apr 1994 15:23:59 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Walmsley: "Re: wu-ftpd info."
Previous message: Marc W. Mengel: "Re: wu-ftpd info."
Maybe in reply to: Christopher Klaus: "wu-ftpd info."

> What are the dangers posed by someone gaining root access, as through
> a trojaned ftpd, in a _chrooted_ environment, assuming that the
> environment gets chrooted before there's any chance of compromise?

That's a big assumption; I think the wuftpd bug didn't require
committing to anonymous access before the potential compromise.  But to
answer your question....

> Granted, you don't want strangers enabled to wreak havoc with your
> ftp heirarchy (and planting _more_ trojans), but what kind of threats
> can be posed to the rest of the system from such a toehold?

First, note that the lack of development tools (like cc) is not a
barrier, since we can probably assume that the intruder has access to a
binary-compatible machine.  (We certainly can't assume this is not so.)

What can you do as root?  Let's see.  You can create a new /dev/kmem or
/dev/mem with mknod(2) and use it to patch the location in the kernel
that holds your current root directory...and thereby blow chroot()'s
"security" clean out of the water.

					der Mouse

			    mouse@collatz.mcrcim.mcgill.edu

Next message: Paul Walmsley: "Re: wu-ftpd info."
Previous message: Marc W. Mengel: "Re: wu-ftpd info."
Maybe in reply to: Christopher Klaus: "wu-ftpd info."