Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10 beta 3/9/83; site utecfa.UUCP
Path: utzoo!utcsrgv!utai!uthub!utecfa!larry
From: larry@utecfa.UUCP (Larry Philps)
Newsgroups: net.bugs.4bsd
Subject: Re: SECURITY HOLE in tftpd
Message-ID: <159@utecfa.UUCP>
Date: Thu, 27-Sep-84 17:50:21 EDT
Article-I.D.: utecfa.159
Posted: Thu Sep 27 17:50:21 1984
Date-Received: Thu, 27-Sep-84 20:41:46 EDT
References: <442@unmvax.UUCP>
Distribution: net
Organization: Engineering Computing Facility, University of Toronto
Lines: 45



Sorry, the "better" fix shown below will not work.

>From: lee@unmvax.UUCP
>Subject: SECURITY HOLE in tftpd
> ...
>+ 	/* Check path first */
>+ 	ptr = file;
>+ 	ptr++;
>+ 	while (*ptr) {
>+ 		if (*ptr++ != '/')
>+ 			continue;
>+ 		ptr--;
>+ 		*ptr = NULL;
>+ 		sret = stat(file, &stbuf); /*********/
>+ 		*ptr++ = '/';
>+ 		if (sret < 0)
>+ 			return (errno == ENOENT ? ENOTFOUND : EACCESS);
>+ 		if (!((stbuf.st_mode&S_IFMT)&S_IFDIR))
>+ 			break;
>+ 		if ((stbuf.st_mode&(S_IEXEC >> 6)) == 0)
>+ 			return (EACCESS);
>+ 	}

Bill Shannon stated that it was hard to do this because of symbolic
links, and he was right.  The stat done in the middle of the loop
(marked above by /******/) executed run as root, and thus if a symbolic
link is encountered, all directories/files in the link will be
searched as root.  For example,
	# chmod 700 /sys
	# su guest
	% cd
	% ln -s sneaky /sys/sys/ufs_syscalls.c
	% tftp localhost
	% get sneaky
Will get the file since the stat will only check ./sneaky,
and /sys/sys/ufs_syscalls.c.  The intervening directories,
/sys and /sys/sys, will not be checked.
-- 
						Larry Philps
						Engineering Computing Facility
						University of Toronto
		{linus,ihnp4,uw-beaver,floyd,decvax,utzoo}!utcsrgv!utecfa!larry