From djb@cr.yp.to Wed Dec 15 14:23:31 2004
Date: 15 Dec 2004 08:34:01 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, bug@iglooftp.com
Subject: [local] [control] IglooFTP 0.6.1 uses fopen in /tmp

Manigandan Radhakrishnan, a student in my Fall 2004 UNIX Security Holes
course, has discovered a locally exploitable security hole in IglooFTP,
at least version 0.6.1 (the current version in FreeBSD ports). I'm
publishing this notice, but all the discovery credits should be assigned
to Radhakrishnan.

You are at risk if you use IglooFtp to recursively upload a directory.
Any user with an account on the same machine can, with enough effort,
substitute his own files for the files you are uploading.

Here's the bug: IglooFtp uses fopen(...,"w") on a filename returned by
tmpnam(). There is no O_EXCL protection on the open; fopen() will
happily write to an attacker-owned file, so the attacker can change the
file contents later. Some operating systems try to make the filename
hard to guess---FreeBSD, for example, uses cryptographic random numbers
to generate one of 57 billion possible filenames---but this level of
randomness is not sufficient to stop a persistent attacker.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago