Bug 61364 - fspd:remote exploitable security hole
Summary: fspd:remote exploitable security hole
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: Trevor Johnson
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-01-14 17:10 UTC by Radim Kolar
Modified: 2004-05-17 14:21 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Radim Kolar 2004-01-14 17:10:13 UTC
ports/net/fspd 281b3 is a very old fsp daemon which is slow and has some major
security issues, so nobody should run this junk anymore. You can get
newer version from http://fsp.sourceforge.net/ and repackage it.
Current version is autoconfed. There will be fsp281b19 shortly which
has my 2-line patch for clean bsd compile.
 
It has two major security problem: 
1) root escape
2) buffer overflow when checking paths

Fix: 

remove old junk asap from mirrors, upgrade port. Take a rest. FSP is a very usefull
thing, my ISP do not counts UDP in my month quota. FSP is about 3x slower
than TCP.

Radim Kolar
current maintainer of fsp protocol suite
How-To-Repeat: You can get independant fsp protocol stacks from fsp.sf.net and write
a nice exploits. FSPD can not be exploited using standard tools provided
with fsp of by fspclient. I had fsp exploit before, but after Debian group
update their fsp distribution, i have deleted them. I have send my exploit
to packetstormsecurity and Debian security team in December,
but they do not published it nor made announcement. I have no experience
with dealing with security holes but i had surpriced that both groups
ignored this problem. 

These funny path for root escape looks like /../../z/y/z. If i remmember
correctly fspd rejects pathes starting with dot so ../.. do not works.
Comment 1 Tilman Keskinoz freebsd_committer 2004-01-14 17:30:16 UTC
Responsible Changed
From-To: freebsd-ports-bugs->trevor

Over to maintainer
Comment 2 Radim Kolar 2004-05-06 22:17:38 UTC
New fspd with fixed security hole is in ports system now.
This ticket should be closed and fspd removed from vuxml.
Comment 3 Jacques Vidrine freebsd_committer 2004-05-17 14:20:42 UTC
State Changed
From-To: open->closed

Closed on request of originator.