glftpd.privpath.txt

2000-06-27T00:00:00
ID PACKETSTORM:22229
Type packetstorm
Reporter Raymond Dijkxhoorn
Modified 2000-06-27T00:00:00

Description

                                        
                                            `Glftpd 1.18 till 1.21b8 (current beta) have a serious problem with the  
privpath directives....  
  
It will probably be fixed in the comming 1.21b9 but i have included a  
quick fix in this one to prevent exploits of this bug. Thanx for Hoopy for  
the quick fix (glftpd dev team).  
  
Problem:  
  
When you know the private dir names on a site, or groupdirs you can ust  
'try' to get in .. and its very easy. If you know the name of groupdir you  
can simply change into it using the completion function on glftpd.  
  
If you have a private dir / group dir:  
  
For example....  
  
/Groups/Mygroup and you have a dir named 'test' there.  
  
you can simply jump to it by typing 'chdir /Groups/Mygroup/t  
glftpd does not check if you have the proper rights to see the dir, it  
just hops in there without any problem. So if you try a-9 on the dirnames  
you can see all stuff inside a private dir,, takes some time, but with a  
nice script its not that hard... ;-)  
  
Fix:  
  
Put in the attached fix, instructions are also inside the .c file.  
It wil ONLY exploiting of the bug on glftpd 1.20 and above, so if you're  
running <<1.20 then upgrade to the latest version. I'll post a short note  
when the fixed binary is out also....  
  
In the glftpd.conf: cscript cwd pre /bin/leakfix  
  
Bye,  
Raymond Dijkxhoorn.  
  
  
  
  
---1413343248-2112129871-962009665=:31907  
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="leakfix.c"  
Content-Transfer-Encoding: BASE64  
Content-ID: <Pine.LNX.4.10.10006261054250.31907@twix.thrijswijk.nl>  
Content-Description:  
Content-Disposition: attachment; filename="leakfix.c"  
  
LyoNDQoNDQoqKiogVmVyeSBxdWljayAmIGRpcnR5IGZpeCBmb3IgdGhlIGds  
RlRQZCBwcml2cGF0aC1tYXRjaGluZyBsZWFrLg0NCg0NCioqKiBOT1RFOiBU  
aGlzIGZpeCBoYXMgTk9UIGJlZW4gdGVzdGVkIHRob3JvdWdobHkgYW5kIHRo  
dXMgbWF5IGV2ZW4gaW5jcmVhc2UNDQoqKiogICAgICAgeW91ciBzaXRlJ3Mg  
c2VjdXJpdHkgcHJvYmxlbXMuIFVzZSBhdCB5b3VyIG93biByaXNjISBVcGRh  
dGUgZ2xGVFBkDQ0KKioqICAgICAgIGFzIHNvb24gYXMgYW4gb2ZmaWNpYWwg  
YnVnZml4IGlzIG91dCENDQoNDQoqKiogVGhpcyB3aWxsIG9ubHkgd29yayB3  
aXRoIGdsRlRQZCAxLjIwIGFuZCBoaWdoZXIsIGJlY2F1c2UgaXQgdXNlcyB0  
aGUNDQoqKiogQ1NjcmlwdCBob29rIHdoaWNoIHdhcyBpbnRyb2R1Y2VkIHdp  
dGggdjEuMjAgLi4uDQ0KDQ0KKioqIEhvdyBkb2VzIGl0IHdvcms/IEl0IGNo  
ZWNrcyB3aGljaCBkaXJlY3RvcnkgYSB1c2VyIHdhbnRzIHRvIENXRCBpbnRv  
LA0NCioqKiBhbmQgaWYgaXQncyBhIHByaXZhdGUgZGlyZWN0b3J5IHdpdGgg  
bGVzcyB0aGFuIGUuZy4gMyBjaGFyYWN0ZXJzIGFmdGVyDQ0KKioqIHRoZSBs  
YXN0IHNsYXNoLCB0aGVuIGl0IGRlbmllcyB0aGUgQ1dEIGF0dGVtcHQuIFRo  
aXMgbWVhbnMgYSB1c2VyIHdvdWxkDQ0KKioqIG5lZWQgdG8ga25vdyBhdCBs  
ZWFzdCAzIGNoYXJhY3RlcnMgb2YgYSByZWxlYXNlIG5hbWUgc3RvcmVkIGlu  
IGEgcHJpdmF0ZQ0NCioqKiBkaXJlY3RvcnkuDQ0KDQ0KKioqIE1ha2Ugc3Vy  
ZSB0byBrZWVwIHRoZSBudW1iZXIgb2YgY2hhcmFjdGVycyBuZWVkZWQgdG8g  
Z3Vlc3MgYXMgbG93DQ0KKioqIGFzIHBvc3NpYmxlLiBGb3IgZXhhbXBsZSwg  
aWYgeW91IGhhdmUgYSAvcHJpdmF0ZS9YWVogYW5kIHNldCB0aGUNDQoqKiog  
bnVtYmVyIHRvIDUsIGFueSBhdHRlbXB0IHRvIGN3ZCBpbnRvIC9wcml2YXRl  
L1hZWiB3b3VsZCBiZSBkZW5pZWQuDQ0KKioqIFBlb3BsZSB3b3VsZCB0aGVu  
IGhhdmUgdG8gY3dkIGludG8gL3ByaXZhdGUgZmlyc3QgYW5kIGZyb20gdGhl  
cmUgaW50bw0NCioqKiBYWVouIFRoaXMgbWVhbnMgdGhpcyBidWdmaXggd291  
bGQgbm90IHByZXZlbnQgb3V0IHRoZSByaWdodCBwZW9wbGUNDQoqKiogZnJv  
bSBhY2Nlc3NpbmcgdGhlaXIgcHJpdmF0ZSBkaXJlY3RvcmllcywgaG93ZXZl  
ciB0aGV5IHdvdWxkIGJlIGZvcmNlZA0NCioqKiB0byBjaGFuZ2UgaW50byB0  
aGVyZSBzdGVwIGJ5IHN0ZXAgYW5kIG5vdCB3aXRoIGFuIGFic29sdXRlIHBh  
dGhuYW1lLg0NCioqKiBUaGlzIGFzIHVzdWFsIGNvdWxkIGxlYWQgdG8gY29u  
ZnVzaW9ucyBmb3Igc29tZSBpbnRlbGxlY3R1YWxseQ0NCioqKiBjaGFsbGFu  
Z2VkIHVzZXJzIDopDQ0KDQ0KKioqIFlvdSBjYW4gaW5jcmVhc2UgdGhlIG51  
bWJlciBvZiBjaGFyYWN0ZXJzIGEgdXNlciBtdXN0IGd1ZXNzIGNvcnJlY3Rs  
eQ0NCioqKiBiZWxvdyBpbiB0aGUgc291cmNlLCBhcyB3ZWxsIGFzIHRoZSBu  
YW1lcyBvZiB5b3VyIHByaXZhdGUgZGlyZWN0b3JpZXMNDQoqKiogbXVzdCBi  
ZSBzcGVjaWZpZWQgcHJvcGVybHkgaGVyZS4gVGhlIGRlZmF1bHQgbWF0Y2hl  
cyBhbGwgZGlyZWN0b3JpZXMNDQoqKiogY29udGFpbmluZyAvcHJpdmF0ZSwg  
L3ByZSBvciAvZ3JvdXAgLi4uIGNhc2UgaW5zZW5zaXRpdmUsIHdoaWNoIG1l  
YW5zDQ0KKioqIC9zaXRlL2luY29taW5nL0dyb3Vwcy9CTFVCLVBSRSB3b3Vs  
ZCBhbHNvIGJlIG1hdGNoZWQgY29ycmVjdGx5IGJ5DQ0KKioqIGRlZmF1bHQu  
DQ0KDQ0KKioqIFRvIGluc3RhbGwgdGhpcyBmaXgsIGNvbXBpbGUgaXQgd2l0  
aA0NCg0NCmdjYyAtbyBsZWFrZml4IGxlYWtmaXguYw0NCg0NCioqKiBhbmQg  
Y29weSB0aGUgbGVha2ZpeCBiaW5hcnkgaW50byB5b3VyIC9nbGZ0cGQvYmlu  
IGRpcmVjdG9yeS4gVGhlbiBhZGQNDQoNDQpjc2NyaXB0IGN3ZCBwcmUgL2Jp  
bi9sZWFrZml4DQ0KDQ0KKioqIHRvIHlvdXIgL2V0Yy9nbGZ0cGQuY29uZiBm  
aWxlIC4NDQoNDQoqKiogUmVtZW1iZXIgdGhpcyB3aWxsIG9ubHkgd29yayB3  
aXRoIGdsRlRQZCAxLjIwIGFuZCBoaWdoZXIgYW5kIG1ha2Ugc3VyZQ0NCioq  
KiB0byB1cGRhdGUgYXMgc29vbiBhcyB0aGVyZSBpcyBhbiBvZmZpY2lhbCBi  
dWdmaXggaXMgb3V0ICh5b3UgY2FuIHJlbW92ZQ0NCioqKiB0aGlzIGNzY3Jp  
cHQgbGluZSBmcm9tIHlvdXIgZ2xmdHBkLmNvbmYgYWdhaW4gdGhlbikuDQ0K  
DQ0KKioqIElGIFlPVSBGSU5EIEFOWSBFUlJPUlMgSU4gVEhJUyBQTEVBU0Ug  
TEVUIE1FIEtOT1csIEZJWCBJVCBBTkQgU0hBUkUgSVQNDQoqKiogV0lUSCBP  
VEhFUlMuDQ0KDQ0KLy8gSG9vcHkgPGhvb3B5QHJpc2Npc28uY29tPg0NCg0N  
CiovDQ0KDQ0KI2luY2x1ZGUgPHN0ZGlvLmg+DQ0KI2luY2x1ZGUgPHN0ZGxp  
Yi5oPg0NCiNpbmNsdWRlIDxzdHJpbmcuaD4NDQojaW5jbHVkZSA8c3lzL3R5  
cGVzLmg+DQ0KI2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQ0KI2luY2x1ZGUgPHVu  
aXN0ZC5oPg0NCiNpbmNsdWRlIDxzaWduYWwuaD4NDQojaW5jbHVkZSA8dGlt  
ZS5oPg0NCg0NCiNkZWZpbmUJRVhJVF9PSwkJMA0NCiNkZWZpbmUJRVhJVF9F  
UlJPUgkxDQ0KDQ0KaW50IG1haW4gKGludCBhcmdjLCBjaGFyICphcmd2W10p  
DQ0Kew0NCiAgY2hhciBjd2RjbWRbNTAwXTsNDQogIGludCBjbnQ7CQ0NCgkN  
DQogIGlmIChhcmdjIDwgMykNDQogIHsNDQogICAgZnByaW50ZiAoc3Rkb3V0  
LCAiUmVhZCB0aGUgZG94IG9uIGhvdyB0byBzZXQgdGhpcyB1cC4uLlxuIik7  
IGZmbHVzaCAoc3Rkb3V0KTsNDQogICAgcmV0dXJuIEVYSVRfRVJST1I7DQ0K  
ICB9DQ0KDQ0KICBzbnByaW50ZiAoY3dkY21kLCA1MDAsIGFyZ3ZbMV0pOw0N  
CiAgZm9yIChjbnQ9MDsgY250IDwgc3RybGVuKGN3ZGNtZCk7IGNudCsrKSBj  
d2RjbWRbY250XSA9IHRvbG93ZXIoY3dkY21kW2NudF0pOw0NCiAgDQ0KLy8g  
Q09QWSBUSEUgRk9MTE9XSU5HIExJTkUgRk9SIEVBQ0ggT0YgWU9VUiBQUklW  
QVRFIFBBVEhTDQ0KICBpZiAoc3Ryc3RyKGN3ZGNtZCwgIi9wcml2YXRlIikg  
PT0gTlVMTCkNDQogIGlmIChzdHJzdHIoY3dkY21kLCAiL3ByZSIpID09IE5V  
TEwpDQ0KICBpZiAoc3Ryc3RyKGN3ZGNtZCwgIi9ncm91cCIpID09IE5VTEwp  
DQ0KICByZXR1cm4gRVhJVF9PSzsNDQogIA0NCiAgaWYgKHN0cmxlbihzdHJy  
Y2hyKGN3ZGNtZCwgJy8nKSkgPCA0KSANDQogIHsNDQogIAlmcHJpbnRmIChz  
dGRvdXQsICI1NTBDV0QgYXR0ZW1wdCBkZW5pZWQsIGNoYW5nZSBpbnRvIHBy  
aXZhdGUgZGlyZWN0b3J5IGZpcnN0LlxuIik7IGZmbHVzaChzdGRvdXQpOw0N  
CiAgCXJldHVybiBFWElUX0VSUk9SOw0NCiAgfQkNDQoNDQogIHJldHVybiBF  
WElUX09LOwkNDQoJDQ0KfQ0NCg==  
---1413343248-2112129871-962009665=:31907--  
  
`