Re: Exploit for Linux wu.ftpd hole

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Darren Reed: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: der Mouse: "Re: Exploit for Linux wu.ftpd hole"
• In reply to: bt: "Re: Exploit for Linux wu.ftpd hole"
• Next in thread: Pete Shipley: "Re: Exploit for Linux wu.ftpd hole"

bt:
> You have to run as root to setuid to the user, to open the log files,
> and to chroot (for anon) to the ftp dir.. of course after login, root
> privs are not really needed.

They are needed to create ftp-data sockets (privileged port number).
That's why ftpd runs (most of the time) with the effective uid of the
user who is logged in, but real uid 0 (so that it can get root privs
for a while, to create a socket).  But no external program (like ls,
gzip, tar, ...) needs to run as root - there should be something like
setgid(getegid()); setuid(geteuid()); between fork and exec in ftpd_popen.
This would prevent the slackware hole from giving root access.

Comments?

Marek Michalkiewicz

• Next message: Darren Reed: "Re: Exploit for Linux wu.ftpd hole"
• Previous message: der Mouse: "Re: Exploit for Linux wu.ftpd hole"
• In reply to: bt: "Re: Exploit for Linux wu.ftpd hole"
• Next in thread: Pete Shipley: "Re: Exploit for Linux wu.ftpd hole"