Vigil@nce - ProFTPD: permission change via UserOwner
January 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When ProFTPD uses the UserOwner directive, a local attacker can
create a directory under a symbolic link, in order to force
ProFTPD to change permissions of another directory.
Impacted products: Debian, ProFTPD
Severity: 2/4
Creation date: 08/01/2013
DESCRIPTION OF THE VULNERABILITY
The UserOwner directive of ProFTPD indicates the name of the owner
of files/directories which will be created.
So, when the FTP client calls the MKD/XMKD command, ProFTPD
creates the directory, and then changes its owner. However,
between these two operations, a local attacker can replace the
parent directory by a symbolic link pointing to another tree.
When ProFTPD uses the UserOwner directive, a local attacker can
therefore create a directory under a symbolic link, in order to
force ProFTPD to change permissions of another directory.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/ProFTPD-permission-change-via-UserOwner-12288