[13108] in bugtraq
Re: ftp conversions exploit
daemon@ATHENA.MIT.EDU (Lamont Granquist)
Mon Dec 27 17:51:14 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9912271143240.3011-100000@localhost.localdomain>
Date: Mon, 27 Dec 1999 11:53:04 -0800
Reply-To: Lamont Granquist <lamont@ICOPYRIGHT.COM>
From: Lamont Granquist <lamont@ICOPYRIGHT.COM>
X-To: Desi Hacker <desihacker@HOTMAIL.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19991222044725.77471.qmail@hotmail.com>
On Wed, 22 Dec 1999, Desi Hacker wrote:
> during the exploiting process.. the final step as instructed by the auther
> doesn't work
>
> ftp> get "--use-compress-program=sh blah".tar
> or
> ftp> get "--use-compress-program=sh blah".tar
>
> instead is gives a warning of permission denied!
> in case of anon ftp logging
The author made it fairly clear that this exploit applied to non-anonymous
accounts, which are more trusted by default than the anonymous FTP
account. The exploit should also fail for anonymous users in the next
step which requires rights to do a SITE CHMOD.
The moral of the exploit seems to be that you shouldn't trust people with
non-anon FTP access who you wouldn't trust with shell accounts.
