Netkit FTP Server: Privilege escalation

1. Gentoo Linux Security Advisory

Advisory Reference	GLSA 200611-05 / ftpd
Release Date	November 10, 2006
Latest Revision	December 30, 2007: 02
Impact	high
Exploitable	remote

Package	Vulnerable versions	Unaffected versions	Architecture(s)
net-ftp/netkit-ftpd	< 0.17-r4	>= 0.17-r4	All supported architectures

Related bugreports: #150292

Synopsis

An incorrect seteuid() call could allow an FTP user to access some files or directories that would normally be inaccessible.

2. Impact Information

Background

net-ftp/netkit-ftpd is the Linux Netkit FTP server with optional SSL support.

Description

Paul Szabo reported that an incorrect seteuid() call after the chdir() function can allow an attacker to access a normally forbidden directory, in some very particular circumstances, for example when the NFS-hosted targetted directory is not reachable by the client-side root user. Additionally, some potentially exploitable unchecked setuid() calls were also fixed.

Impact

A local attacker might craft his home directory to gain access through ftpd to normally forbidden directories like /root, possibly with writing permissions if seteuid() fails and if the ftpd configuration allows that. The unchecked setuid() calls could also lead to a root FTP login, depending on the FTP server configuration.

3. Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Netkit FTP Server users should upgrade to the latest version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/netkit-ftpd-0.17-r4"

4. References

CVE-2006-5778

Updated November 10, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.