SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   FTPfs Vendors:   Malita, Florin
The FTPfs Linux Kernel Module for Mounting FTP Servers Can Give Local Users Root-Level Access
SecurityTracker Alert ID:  1001097
SecurityTracker URL:  http://securitytracker.com/id/1001097
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2001
Impact:   Execution of arbitrary code via local system, Root access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A security flaw has been reported in FTPfs, a Linux kernel module that allows mounting of FTP shared directories to the file system. The vulnerability permits local users to execute commands and code on the system with root privileges.

FTPfs allows users to supply options to the "mount" command without performing sufficent bounds checking. This can enable a local user to execute code on the machine, obtaining root privileges (as mount is a setuserid program).

A demonstration exploit was provided in the original report:

mount -t ftpfs none /mnt -o ip=127.0.0.1,user=xxxxxxxxxxxxxxxxxxxxxxxxxxxx...

This command reportedly produces an immediate reboot (tested with kernel 2.4.2 and FTPFS 0.1.1).

The vendor has been contacted.

Impact:   A local user can obtain root privileges.
Solution:   The vendor has apparently issued a fix (ftpfs-0.2.1-k2.4) for Linux kernel 2.4 users. The version 0.1.1 for Linux kernel 2.2 users was not fixed at the time of this entry.
Vendor URL:  ftpfs.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any)

Message History:   None.


 Source Message Contents

Subject:  Buffer oveflow in FTPFS (linux kernel module)


  FTPFS (http://sourceforge.net/projects/ftpfs) is a Linux kernel module,
enhancing VFS with FTP volume mounting capabilities.

  However, it has insufficient bounds checking. If a user can enter mount
options through a wrapper, he can take over the whole system, even with
restricted capabilities.

  Here's a simple exploit :

mount -t ftpfs none /mnt -o ip=127.0.0.1,user=xxxxxxxxxxxxxxxxxxxxxxxxxxxx...

  The previous command produces an immediate reboot (tested with kernel 2.4.2
and FTPFS 0.1.1) .

  The author is aware of that vulnerability.

  Best regards,

--
  -=- Frank DENIS aka Jedi/Sector One < spam@jedi.claranet.fr > -=-
		LINAGORA SA (Paris, France) : http://www.linagora.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC