SECURITY HOLE in tftpd
Larry Philps
larry at utecfa.UUCP
Fri Sep 28 07:50:21 AEST 1984
<die creature>
Sorry, the "better" fix shown below will not work.
>From: lee at unmvax.UUCP
>Subject: SECURITY HOLE in tftpd
> ...
>+ /* Check path first */
>+ ptr = file;
>+ ptr++;
>+ while (*ptr) {
>+ if (*ptr++ != '/')
>+ continue;
>+ ptr--;
>+ *ptr = NULL;
>+ sret = stat(file, &stbuf); /*********/
>+ *ptr++ = '/';
>+ if (sret < 0)
>+ return (errno == ENOENT ? ENOTFOUND : EACCESS);
>+ if (!((stbuf.st_mode&S_IFMT)&S_IFDIR))
>+ break;
>+ if ((stbuf.st_mode&(S_IEXEC >> 6)) == 0)
>+ return (EACCESS);
>+ }
Bill Shannon stated that it was hard to do this because of symbolic
links, and he was right. The stat done in the middle of the loop
(marked above by /******/) executed run as root, and thus if a symbolic
link is encountered, all directories/files in the link will be
searched as root. For example,
# chmod 700 /sys
# su guest
% cd
% ln -s sneaky /sys/sys/ufs_syscalls.c
% tftp localhost
% get sneaky
Will get the file since the stat will only check ./sneaky,
and /sys/sys/ufs_syscalls.c. The intervening directories,
/sys and /sys/sys, will not be checked.
--
Larry Philps
Engineering Computing Facility
University of Toronto
{linus,ihnp4,uw-beaver,floyd,decvax,utzoo}!utcsrgv!utecfa!larry
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list