![[LWN Logo]](/images/lc.png)
![[Timeline]](/images/Included.png)
|
|
|
|
Date: Mon, 26 Jun 2000 10:54:25 +0200 From: Raymond Dijkxhoorn <raymond@THRIJSWIJK.NL> Subject: Glftpd privpath bugs... +fix To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---1413343248-2112129871-962009665=:31907 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi! Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with the privpath directives.... It will probably be fixed in the comming 1.21b9 but i have included a quick fix in this one to prevent exploits of this bug. Thanx for Hoopy for the quick fix (glftpd dev team). Problem: When you know the private dir names on a site, or groupdirs you can ust 'try' to get in .. and its very easy. If you know the name of groupdir you can simply change into it using the completion function on glftpd. If you have a private dir / group dir: For example.... /Groups/Mygroup and you have a dir named 'test' there. you can simply jump to it by typing 'chdir /Groups/Mygroup/t glftpd does not check if you have the proper rights to see the dir, it just hops in there without any problem. So if you try a-9 on the dirnames you can see all stuff inside a private dir,, takes some time, but with a nice script its not that hard... ;-) Fix: Put in the attached fix, instructions are also inside the .c file. It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if you're running <<1.20 then upgrade to the latest version. I'll post a short note when the fixed binary is out also.... In the glftpd.conf: cscript cwd pre /bin/leakfix Bye, Raymond Dijkxhoorn. ---1413343248-2112129871-962009665=:31907 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="leakfix.c" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.10.10006261054250.31907@twix.thrijswijk.nl> Content-Description: Content-Disposition: attachment; filename="leakfix.c" LyoNDQoNDQoqKiogVmVyeSBxdWljayAmIGRpcnR5IGZpeCBmb3IgdGhlIGds RlRQZCBwcml2cGF0aC1tYXRjaGluZyBsZWFrLg0NCg0NCioqKiBOT1RFOiBU aGlzIGZpeCBoYXMgTk9UIGJlZW4gdGVzdGVkIHRob3JvdWdobHkgYW5kIHRo dXMgbWF5IGV2ZW4gaW5jcmVhc2UNDQoqKiogICAgICAgeW91ciBzaXRlJ3Mg c2VjdXJpdHkgcHJvYmxlbXMuIFVzZSBhdCB5b3VyIG93biByaXNjISBVcGRh dGUgZ2xGVFBkDQ0KKioqICAgICAgIGFzIHNvb24gYXMgYW4gb2ZmaWNpYWwg YnVnZml4IGlzIG91dCENDQoNDQoqKiogVGhpcyB3aWxsIG9ubHkgd29yayB3 aXRoIGdsRlRQZCAxLjIwIGFuZCBoaWdoZXIsIGJlY2F1c2UgaXQgdXNlcyB0 aGUNDQoqKiogQ1NjcmlwdCBob29rIHdoaWNoIHdhcyBpbnRyb2R1Y2VkIHdp dGggdjEuMjAgLi4uDQ0KDQ0KKioqIEhvdyBkb2VzIGl0IHdvcms/IEl0IGNo ZWNrcyB3aGljaCBkaXJlY3RvcnkgYSB1c2VyIHdhbnRzIHRvIENXRCBpbnRv LA0NCioqKiBhbmQgaWYgaXQncyBhIHByaXZhdGUgZGlyZWN0b3J5IHdpdGgg bGVzcyB0aGFuIGUuZy4gMyBjaGFyYWN0ZXJzIGFmdGVyDQ0KKioqIHRoZSBs YXN0IHNsYXNoLCB0aGVuIGl0IGRlbmllcyB0aGUgQ1dEIGF0dGVtcHQuIFRo aXMgbWVhbnMgYSB1c2VyIHdvdWxkDQ0KKioqIG5lZWQgdG8ga25vdyBhdCBs ZWFzdCAzIGNoYXJhY3RlcnMgb2YgYSByZWxlYXNlIG5hbWUgc3RvcmVkIGlu IGEgcHJpdmF0ZQ0NCioqKiBkaXJlY3RvcnkuDQ0KDQ0KKioqIE1ha2Ugc3Vy ZSB0byBrZWVwIHRoZSBudW1iZXIgb2YgY2hhcmFjdGVycyBuZWVkZWQgdG8g Z3Vlc3MgYXMgbG93DQ0KKioqIGFzIHBvc3NpYmxlLiBGb3IgZXhhbXBsZSwg aWYgeW91IGhhdmUgYSAvcHJpdmF0ZS9YWVogYW5kIHNldCB0aGUNDQoqKiog bnVtYmVyIHRvIDUsIGFueSBhdHRlbXB0IHRvIGN3ZCBpbnRvIC9wcml2YXRl L1hZWiB3b3VsZCBiZSBkZW5pZWQuDQ0KKioqIFBlb3BsZSB3b3VsZCB0aGVu IGhhdmUgdG8gY3dkIGludG8gL3ByaXZhdGUgZmlyc3QgYW5kIGZyb20gdGhl cmUgaW50bw0NCioqKiBYWVouIFRoaXMgbWVhbnMgdGhpcyBidWdmaXggd291 bGQgbm90IHByZXZlbnQgb3V0IHRoZSByaWdodCBwZW9wbGUNDQoqKiogZnJv bSBhY2Nlc3NpbmcgdGhlaXIgcHJpdmF0ZSBkaXJlY3RvcmllcywgaG93ZXZl ciB0aGV5IHdvdWxkIGJlIGZvcmNlZA0NCioqKiB0byBjaGFuZ2UgaW50byB0 aGVyZSBzdGVwIGJ5IHN0ZXAgYW5kIG5vdCB3aXRoIGFuIGFic29sdXRlIHBh dGhuYW1lLg0NCioqKiBUaGlzIGFzIHVzdWFsIGNvdWxkIGxlYWQgdG8gY29u ZnVzaW9ucyBmb3Igc29tZSBpbnRlbGxlY3R1YWxseQ0NCioqKiBjaGFsbGFu Z2VkIHVzZXJzIDopDQ0KDQ0KKioqIFlvdSBjYW4gaW5jcmVhc2UgdGhlIG51 bWJlciBvZiBjaGFyYWN0ZXJzIGEgdXNlciBtdXN0IGd1ZXNzIGNvcnJlY3Rs eQ0NCioqKiBiZWxvdyBpbiB0aGUgc291cmNlLCBhcyB3ZWxsIGFzIHRoZSBu YW1lcyBvZiB5b3VyIHByaXZhdGUgZGlyZWN0b3JpZXMNDQoqKiogbXVzdCBi ZSBzcGVjaWZpZWQgcHJvcGVybHkgaGVyZS4gVGhlIGRlZmF1bHQgbWF0Y2hl cyBhbGwgZGlyZWN0b3JpZXMNDQoqKiogY29udGFpbmluZyAvcHJpdmF0ZSwg L3ByZSBvciAvZ3JvdXAgLi4uIGNhc2UgaW5zZW5zaXRpdmUsIHdoaWNoIG1l YW5zDQ0KKioqIC9zaXRlL2luY29taW5nL0dyb3Vwcy9CTFVCLVBSRSB3b3Vs ZCBhbHNvIGJlIG1hdGNoZWQgY29ycmVjdGx5IGJ5DQ0KKioqIGRlZmF1bHQu DQ0KDQ0KKioqIFRvIGluc3RhbGwgdGhpcyBmaXgsIGNvbXBpbGUgaXQgd2l0 aA0NCg0NCmdjYyAtbyBsZWFrZml4IGxlYWtmaXguYw0NCg0NCioqKiBhbmQg Y29weSB0aGUgbGVha2ZpeCBiaW5hcnkgaW50byB5b3VyIC9nbGZ0cGQvYmlu IGRpcmVjdG9yeS4gVGhlbiBhZGQNDQoNDQpjc2NyaXB0IGN3ZCBwcmUgL2Jp bi9sZWFrZml4DQ0KDQ0KKioqIHRvIHlvdXIgL2V0Yy9nbGZ0cGQuY29uZiBm aWxlIC4NDQoNDQoqKiogUmVtZW1iZXIgdGhpcyB3aWxsIG9ubHkgd29yayB3 aXRoIGdsRlRQZCAxLjIwIGFuZCBoaWdoZXIgYW5kIG1ha2Ugc3VyZQ0NCioq KiB0byB1cGRhdGUgYXMgc29vbiBhcyB0aGVyZSBpcyBhbiBvZmZpY2lhbCBi dWdmaXggaXMgb3V0ICh5b3UgY2FuIHJlbW92ZQ0NCioqKiB0aGlzIGNzY3Jp cHQgbGluZSBmcm9tIHlvdXIgZ2xmdHBkLmNvbmYgYWdhaW4gdGhlbikuDQ0K DQ0KKioqIElGIFlPVSBGSU5EIEFOWSBFUlJPUlMgSU4gVEhJUyBQTEVBU0Ug TEVUIE1FIEtOT1csIEZJWCBJVCBBTkQgU0hBUkUgSVQNDQoqKiogV0lUSCBP VEhFUlMuDQ0KDQ0KLy8gSG9vcHkgPGhvb3B5QHJpc2Npc28uY29tPg0NCg0N CiovDQ0KDQ0KI2luY2x1ZGUgPHN0ZGlvLmg+DQ0KI2luY2x1ZGUgPHN0ZGxp Yi5oPg0NCiNpbmNsdWRlIDxzdHJpbmcuaD4NDQojaW5jbHVkZSA8c3lzL3R5 cGVzLmg+DQ0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQ0KI2luY2x1ZGUgPHVu aXN0ZC5oPg0NCiNpbmNsdWRlIDxzaWduYWwuaD4NDQojaW5jbHVkZSA8dGlt ZS5oPg0NCg0NCiNkZWZpbmUJRVhJVF9PSwkJMA0NCiNkZWZpbmUJRVhJVF9F UlJPUgkxDQ0KDQ0KaW50IG1haW4gKGludCBhcmdjLCBjaGFyICphcmd2W10p DQ0Kew0NCiAgY2hhciBjd2RjbWRbNTAwXTsNDQogIGludCBjbnQ7CQ0NCgkN DQogIGlmIChhcmdjIDwgMykNDQogIHsNDQogICAgZnByaW50ZiAoc3Rkb3V0 LCAiUmVhZCB0aGUgZG94IG9uIGhvdyB0byBzZXQgdGhpcyB1cC4uLlxuIik7 IGZmbHVzaCAoc3Rkb3V0KTsNDQogICAgcmV0dXJuIEVYSVRfRVJST1I7DQ0K ICB9DQ0KDQ0KICBzbnByaW50ZiAoY3dkY21kLCA1MDAsIGFyZ3ZbMV0pOw0N CiAgZm9yIChjbnQ9MDsgY250IDwgc3RybGVuKGN3ZGNtZCk7IGNudCsrKSBj d2RjbWRbY250XSA9IHRvbG93ZXIoY3dkY21kW2NudF0pOw0NCiAgDQ0KLy8g Q09QWSBUSEUgRk9MTE9XSU5HIExJTkUgRk9SIEVBQ0ggT0YgWU9VUiBQUklW QVRFIFBBVEhTDQ0KICBpZiAoc3Ryc3RyKGN3ZGNtZCwgIi9wcml2YXRlIikg PT0gTlVMTCkNDQogIGlmIChzdHJzdHIoY3dkY21kLCAiL3ByZSIpID09IE5V TEwpDQ0KICBpZiAoc3Ryc3RyKGN3ZGNtZCwgIi9ncm91cCIpID09IE5VTEwp DQ0KICByZXR1cm4gRVhJVF9PSzsNDQogIA0NCiAgaWYgKHN0cmxlbihzdHJy Y2hyKGN3ZGNtZCwgJy8nKSkgPCA0KSANDQogIHsNDQogIAlmcHJpbnRmIChz dGRvdXQsICI1NTBDV0QgYXR0ZW1wdCBkZW5pZWQsIGNoYW5nZSBpbnRvIHBy aXZhdGUgZGlyZWN0b3J5IGZpcnN0LlxuIik7IGZmbHVzaChzdGRvdXQpOw0N CiAgCXJldHVybiBFWElUX0VSUk9SOw0NCiAgfQkNDQoNDQogIHJldHVybiBF WElUX09LOwkNDQoJDQ0KfQ0NCg== ---1413343248-2112129871-962009665=:31907--