[11878] in bugtraq
Re: gftp - ms ftp debug mode
daemon@ATHENA.MIT.EDU (Max Vision)
Mon Sep 13 23:38:53 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.10.9909121752440.14819-100000@www.whitehats.com>
Date: Sun, 12 Sep 1999 23:51:07 -0700
Reply-To: Max Vision <vision@WHITEHATS.COM>
From: Max Vision <vision@WHITEHATS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <37DB5E2D.48EFBE78@parnu.ee>
Hi,
Do you have reason to believe that this debug mode allows an attacker an
extra ability to in some way capture your password information?
Otherwise, the password being shown in debug mode on the client side is
not a hole. It is only shown to the client who had just typed it in
seconds ago, and who specifically and consciously enables the debug mode.
As I said in an earlier post, if I put my client software into a debug
mode, I do want to know *exactly* what it's doing. That's why I put it
into debug mode.
Hypothetical reasons for wanting to see the password information sent:
1. keyboard problems - if you have a "z" in your password and
it misses when you hit the key half the time.
2. user error - you have numlock or caps lock, or have fat fingers
3. software trouble - you type foo, it sends oof..
Doesn't matter what caused the problem (you did enable debug for a reason
right?), the point is that debug behavior should be to facilitate debuging
by providing as much information as possible.
You may have heard these solutions before, but here they are:
1. don't do that
Keep in mind that as long as you are using the ftp protocol over the net,
that password of yours is in clear in a big way. That is a far more
dangerous and real vulnerability.
Max
On Sun, 12 Sep 1999, Valentin wrote:
> Hello!
> Here is a test i did on my rh 6.0 (ftp server is patched ;) :
>
> [root@localhost /root]# ftp
> ftp> debug
> Debuggin on (debug=1).
> ftp> open localhost
> 220 localhost FTP server (Version wu-2.5.0(1) Fri Sep 03 14:41:20 EEST 1999)
> ready.
> Name (localhost:root): toor
> ---> USER toor
> 331 Password required for toor.
> Password:
> ---> PASS XXXX
> 220 User toor logged in.
> ...
>
> Now look at this:
>
> [root@localhost /root]# ftp
> ftp> debug
> Debuggin on (debug=1).
> ftp> open localhost
> 220 localhost FTP server (Version wu-2.5.0(1) Fri Sep 03 14:41:20 EEST 1999)
> ready.
> Name (localhost:root):
> ---> USER root
> 331 Password required for root.
> Password:
> ---> PASS XXXX
> 530 Login incorrect.
> Login failed.
> ---> SYST
> 530 Please login with USER and PASS.
> ftp> quote user toor
> ---> user toor
> ftp> quote pass root
> ---> pass root <--- (HAHA Here is the password)
> 230 User toor logged in.
> ftp> .....
>
> Valentin
>
