Re: [ProFTPD] FW: mod_sqlpw Password Caching Bug

[Darron Froese <darron () FROESE ORG>]

On 12/12/00 3:58 PM, "Darron Froese" <darron () froese org> wrote:

> ------ Forwarded Message
> From: Miller <joemiler () CLARK NET>
> Reply-To: Miller <joemiler () CLARK NET>
> Date: Mon, 11 Dec 2000 14:55:48 -0500
> To: BUGTRAQ () SECURITYFOCUS COM
> Subject: mod_sqlpw Password Caching Bug
>
>       The mod_sqlpw module for ProFTPD caches the user id and password
> information returned from the mysql database when attempting to verify a
> password.  When the "user" command is used to switch to another account,
> the cached password is not cleard, and the password entered is checked
> against the cached password.  If a user knows the password for a valid
> account on a ProFTPD system using mod_sqlpw, they may log into any other
> account in the database by doing the following:
>
> 1. FTP to the host running ProFTPD/mod_sqlpw.
> 2. At the login prompt, enter the user id of the known account "bob".
> 3. When prompted for a password, enter an invalid password for the
> account "bob".  Authentication will fail.
> 4. Type "user alice", where "alice" is another account in the user
> database.
> 5. When prompted for a password, enter the correct password for "bob".
>
> At this point, the user "bob" is logged in as the user "alice" without
> knowing alice's password.
>
> Joe Miller

After looking at this a little closer - I don't think there's actually a
working exploit.

While certainly there's a coding error (and possibly an exploit in there
somewhere) - I can't get access to a user's account that I don't already
know the password for.

*Yes* it says that "User A logged in" when user B's password is given BUT
you still have to know the password for the account you want to log into.

Basically:

You can't get someone else's account unless you know their password. And if
you already know their password, then you already have access to their
account so there's no real exploit here.

Let me demonstrate:

I want to log into tim's account, but I only know the password for the user
darron:

[darron@domain darron]$ ftp localhost
Connected to localhost.localdomain.
220 domain.com FTP server ready.
Name (localhost:darron): darron
331 Password required for darron.
Password:                        <- Bad password, I want it to fail.
530 Login incorrect.
Login failed.
ftp> user tim
331 Password required for tim.
Password:                         <- I gave darron's password.
230 User tim logged in.
ftp> ls
200 PORT command successful.
150 Opening ASCII mode data connection for file list.
drwx---rwx   4 darron   admin        4096 Dec 12 18:24 Network Trash Folder
-rw-------   1 darron   admin       88279 Dec  3 16:08 Peep-0.3.4.src.tar.gz
226 Transfer complete.
ftp>

I'm *actually* logged in as darron (that's my home directory) - even though
it *said* I was logged in as tim.

BUT I ALREADY KNOW THE PASSWORD for darron so big deal. In the process list
it even shows the process as belonging to the user who's password I already
know:

darron 31368 0.0 0.3 2176 1384 ? S 16:55 0:00 proftpd: darron - 127.0.0.1:
IDLE

I can't figure out how to get another user's account without already knowing
*their* password.

Can anyone actually get a different user's home folder ONLY knowing their
own password?
--
Darron
darron () froese org