Bugtraq mailing list archives

Re: gftp - ms ftp debug mode

From: vision () WHITEHATS COM (Max Vision)
Date: Sun, 12 Sep 1999 23:51:07 -0700


Hi,

Do you have reason to believe that this debug mode allows an attacker an
extra ability to in some way capture your password information?

Otherwise, the password being shown in debug mode on the client side is
not a hole.  It is only shown to the client who had just typed it in
seconds ago, and who specifically and consciously enables the debug mode.

As I said in an earlier post, if I put my client software into a debug
mode, I do want to know *exactly* what it's doing.  That's why I put it
into debug mode.

Hypothetical reasons for wanting to see the password information sent:

1.  keyboard problems - if you have a "z" in your password and
    it misses when you hit the key half the time.
2.  user error - you have numlock or caps lock, or have fat fingers
3.  software trouble - you type foo, it sends oof..

Doesn't matter what caused the problem (you did enable debug for a reason
right?), the point is that debug behavior should be to facilitate debuging
by providing as much information as possible.

You may have heard these solutions before, but here they are:

1. don't do that

Keep in mind that as long as you are using the ftp protocol over the net,
that password of yours is in clear in a big way.  That is a far more
dangerous and real vulnerability.

Max

On Sun, 12 Sep 1999, Valentin wrote:

Hello!
Here is a test i did on my rh 6.0 (ftp server is patched ;) :

[> [root@localhost /root]# ftp
ftp> debug
Debuggin on (debug=1).
ftp> open localhost
220 localhost FTP server (Version wu-2.5.0(1) Fri Sep 03 14:41:20 EEST 1999)
ready.
Name (localhost:root): toor
---> USER toor
331 Password required for toor.
Password:
---> PASS XXXX
220 User toor logged in.
...

Now look at this:

[> [root@localhost /root]# ftp
ftp> debug
Debuggin on (debug=1).
ftp> open localhost
220 localhost FTP server (Version wu-2.5.0(1) Fri Sep 03 14:41:20 EEST 1999)
ready.
Name (localhost:root):
---> USER root
331 Password required for root.
Password:
---> PASS XXXX
530 Login incorrect.
Login failed.
---> SYST
530 Please login with USER and PASS.
ftp> quote user toor
---> user toor
ftp> quote pass root
---> pass root  <--- (HAHA Here is the password)
230 User toor logged in.
ftp> .....

Valentin

Current thread:

[security-officer () FreeBSD ORG: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques], (continued)
- - [security-officer () FreeBSD ORG: FreeBSD-SA-99:01: BSD File Flags and Programming Techniques] Patrick Oonk (Sep 03)
  - Re: Root shell vixie cron exploit Valentin Nechayev (Sep 04)
  - gftp Oscar Haeger (Sep 05)
    - Re: gftp - ms ftp debug mode Bencsath Boldizsar (Sep 08)
    - fixing all buffer overflows --- random magin numbers Dr. Joel M. Hoffman (Sep 11)
    - Re: fixing all buffer overflows --- random magin numbers Peter van Dijk (Sep 12)
    - Re: fixing all buffer overflows --- random magin numbers Eric Hutchinson (Sep 12)
    - Re: fixing all buffer overflows --- random magin numbers Daniel W. Dulitz x108 (Sep 13)
    - Enterprise Overflow Daniel Kerr (Sep 11)
    - Re: gftp - ms ftp debug mode Valentin (Sep 12)
    - Re: gftp - ms ftp debug mode Max Vision (Sep 12)
    - Linux 2.2.12 mini-audit Solar Designer (Sep 13)
    - Vulnerability in dtaction Job de Haas (Sep 13)
    - Many kind of POP3/SMTP server softwares for Windows have buffer overflow bug UNYUN (Sep 12)
    - Accept overflow on Netscape Enterprise Server 3.6 SP2 Nobuo Miwa (Sep 12)
  - COM and Windows 2000 Mnemonix (Sep 05)
    - Re: COM and Windows 2000 thomasz () HOSTMASTER ORG (Sep 12)