[H-GEN] I can't login - HELP!

Byron Ellacott bje at apnic.net
Mon Dec 20 00:41:58 EST 1999 

[ Humbug *General* list - semi-serious discussions about Humbug and ]
[ Unix-related topics.  Please observe the list's charter.          ]

On Wed, 15 Dec 1999, Ben Carlyle wrote:

> Another possible reason to crack the /etc/shadow file is if
> your intruder has obtained the file through dubious measures,
> and are not actually a user on the account.  Weak anonymous ftp
> implementations were renouned for this kind of problem in
> the past...
> ftp client:  May I have your /etc/passwd file, please?
> ftp server:  Why certainly, glad to be of service.
> (such servers usually run in chrooted environments these
>  days, so the real sensitive information is literally not
>  acessable).
> The shadowed password approach does not usually present
> a barrier to this entry, however, as many servers also
> (often unnecessarily) run as root and can therefore read
> the /etc/shadow file and pass it on.  This is why networked
> services are especially sensitive to outside attack.

as a side note, FTP servers have run in chroot'd environments for anon.
access for quite a while, save for poorly set up FTP servers, or poorly
designed FTP servers, neither scenario being one the Conscientious Admin
will allow to happen.  They rarely chroot for user FTP access, and through
buffer overrun type exploits, can sometimes be fooled into giving access
where access should not be given.

I would be very surprised if any reasonably modern FTP server would not do
a setuid(user_uid) as soon as it knows what user it should be running at
-- this way, it does not have to check the permissions of files itself.
Fork, get username/password, setuid, proceed.  Same for any suid program.
Drop the root privelidges ASAP.

One FTP exploit I'd like to mention involved anonymous uploads -- you
could upload a .so to an anonymous path, take a good guess at the location
in the Real filesystem (say, /home/ftp/pub/uploads/foobar.so) and then use
a curious feature of the Telnet protocol to export LD_PRELOAD=<file> to
login, thus allowing you to totally bypass password checks.

the short of this is, programs running as root require the highest level
of trust, and so should be statically linked, and should drop root privs
asap.

--
bje


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.

More information about the General mailing list