Vulnerabilities > CVE-2006-5778 - Information Disclosure vulnerability in Linux-Ftpd-Ssl 0.17
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
ftpd in linux-ftpd 0.17, and possibly other versions, performs a chdir before setting the UID, which allows local users to bypass intended access restrictions by redirecting their home directory to a restricted directory.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1217.NASL description Paul Szabo discovered that the netkit ftp server switches the user id too late, which may lead to the bypass of access restrictions when running on NFS. This update also adds return value checks to setuid() calls, which may fail in some PAM configurations. last seen 2020-06-01 modified 2020-06-02 plugin id 23703 published 2006-11-22 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23703 title Debian DSA-1217-1 : linux-ftpd - programming error NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200611-05.NASL description The remote host is affected by the vulnerability described in GLSA-200611-05 (Netkit FTP Server: Privilege escalation) Paul Szabo reported that an incorrect seteuid() call after the chdir() function can allow an attacker to access a normally forbidden directory, in some very particular circumstances, for example when the NFS-hosted targetted directory is not reachable by the client-side root user. Additionally, some potentially exploitable unchecked setuid() calls were also fixed. Impact : A local attacker might craft his home directory to gain access through ftpd to normally forbidden directories like /root, possibly with writing permissions if seteuid() fails and if the ftpd configuration allows that. The unchecked setuid() calls could also lead to a root FTP login, depending on the FTP server configuration. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 23670 published 2006-11-20 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/23670 title GLSA-200611-05 : Netkit FTP Server: Privilege escalation
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384454
- http://lists.grok.org.uk/pipermail/full-disclosure/2006-August/049014.html
- http://secunia.com/advisories/22997
- http://security.gentoo.org/glsa/glsa-200611-05.xml
- http://www.debian.org/security/2006/dsa-1217
- http://www.securityfocus.com/bid/21000