OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [ProFTPD] FW: mod_sqlpw Password Caching Bug
From: Darron Froese (darronFROESE.ORG)
Date: Tue Dec 12 2000 - 18:22:19 CST


On 12/12/00 3:58 PM, "Darron Froese" <darronfroese.org> wrote:

> ------ Forwarded Message
> From: Miller <joemilerCLARK.NET>
> Reply-To: Miller <joemilerCLARK.NET>
> Date: Mon, 11 Dec 2000 14:55:48 -0500
> To: BUGTRAQSECURITYFOCUS.COM
> Subject: mod_sqlpw Password Caching Bug
>
> The mod_sqlpw module for ProFTPD caches the user id and password
> information returned from the mysql database when attempting to verify a
> password. When the "user" command is used to switch to another account,
> the cached password is not cleard, and the password entered is checked
> against the cached password. If a user knows the password for a valid
> account on a ProFTPD system using mod_sqlpw, they may log into any other
> account in the database by doing the following:
>
> 1. FTP to the host running ProFTPD/mod_sqlpw.
> 2. At the login prompt, enter the user id of the known account "bob".
> 3. When prompted for a password, enter an invalid password for the
> account "bob". Authentication will fail.
> 4. Type "user alice", where "alice" is another account in the user
> database.
> 5. When prompted for a password, enter the correct password for "bob".
>
> At this point, the user "bob" is logged in as the user "alice" without
> knowing alice's password.
>
> Joe Miller

After looking at this a little closer - I don't think there's actually a
working exploit.

While certainly there's a coding error (and possibly an exploit in there
somewhere) - I can't get access to a user's account that I don't already
know the password for.

*Yes* it says that "User A logged in" when user B's password is given BUT
you still have to know the password for the account you want to log into.

Basically:

You can't get someone else's account unless you know their password. And if
you already know their password, then you already have access to their
account so there's no real exploit here.

Let me demonstrate:

I want to log into tim's account, but I only know the password for the user
darron:

[darrondomain darron]$ ftp localhost
Connected to localhost.localdomain.
220 domain.com FTP server ready.
Name (localhost:darron): darron
331 Password required for darron.
Password: <- Bad password, I want it to fail.
530 Login incorrect.
Login failed.
ftp> user tim
331 Password required for tim.
Password: <- I gave darron's password.
230 User tim logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
drwx---rwx 4 darron admin 4096 Dec 12 18:24 Network Trash Folder
-rw------- 1 darron admin 88279 Dec 3 16:08 Peep-0.3.4.src.tar.gz
226 Transfer complete.
ftp>

I'm *actually* logged in as darron (that's my home directory) - even though
it *said* I was logged in as tim.

BUT I ALREADY KNOW THE PASSWORD for darron so big deal. In the process list
it even shows the process as belonging to the user who's password I already
know:

darron 31368 0.0 0.3 2176 1384 ? S 16:55 0:00 proftpd: darron - 127.0.0.1:
IDLE

I can't figure out how to get another user's account without already knowing
*their* password.

Can anyone actually get a different user's home folder ONLY knowing their
own password?

--
Darron
darronfroese.org