Bugtraq mailing list archives
Re: [ProFTPD] FW: mod_sqlpw Password Caching Bug
From: Darron Froese <darron () FROESE ORG>
Date: Tue, 12 Dec 2000 17:22:19 -0700
On 12/12/00 3:58 PM, "Darron Froese" <darron () froese org> wrote:
------ Forwarded Message From: Miller <joemiler () CLARK NET> Reply-To: Miller <joemiler () CLARK NET> Date: Mon, 11 Dec 2000 14:55:48 -0500 To: BUGTRAQ () SECURITYFOCUS COM Subject: mod_sqlpw Password Caching Bug The mod_sqlpw module for ProFTPD caches the user id and password information returned from the mysql database when attempting to verify a password. When the "user" command is used to switch to another account, the cached password is not cleard, and the password entered is checked against the cached password. If a user knows the password for a valid account on a ProFTPD system using mod_sqlpw, they may log into any other account in the database by doing the following: 1. FTP to the host running ProFTPD/mod_sqlpw. 2. At the login prompt, enter the user id of the known account "bob". 3. When prompted for a password, enter an invalid password for the account "bob". Authentication will fail. 4. Type "user alice", where "alice" is another account in the user database. 5. When prompted for a password, enter the correct password for "bob". At this point, the user "bob" is logged in as the user "alice" without knowing alice's password. Joe Miller
After looking at this a little closer - I don't think there's actually a working exploit. While certainly there's a coding error (and possibly an exploit in there somewhere) - I can't get access to a user's account that I don't already know the password for. *Yes* it says that "User A logged in" when user B's password is given BUT you still have to know the password for the account you want to log into. Basically: You can't get someone else's account unless you know their password. And if you already know their password, then you already have access to their account so there's no real exploit here. Let me demonstrate: I want to log into tim's account, but I only know the password for the user darron: [darron@domain darron]$ ftp localhost Connected to localhost.localdomain. 220 domain.com FTP server ready. Name (localhost:darron): darron 331 Password required for darron. Password: <- Bad password, I want it to fail. 530 Login incorrect. Login failed. ftp> user tim 331 Password required for tim. Password: <- I gave darron's password. 230 User tim logged in. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. drwx---rwx 4 darron admin 4096 Dec 12 18:24 Network Trash Folder -rw------- 1 darron admin 88279 Dec 3 16:08 Peep-0.3.4.src.tar.gz 226 Transfer complete. ftp> I'm *actually* logged in as darron (that's my home directory) - even though it *said* I was logged in as tim. BUT I ALREADY KNOW THE PASSWORD for darron so big deal. In the process list it even shows the process as belonging to the user who's password I already know: darron 31368 0.0 0.3 2176 1384 ? S 16:55 0:00 proftpd: darron - 127.0.0.1: IDLE I can't figure out how to get another user's account without already knowing *their* password. Can anyone actually get a different user's home folder ONLY knowing their own password? -- Darron darron () froese org
Current thread:
- Re: [ProFTPD] FW: mod_sqlpw Password Caching Bug Darron Froese (Dec 14)