[20207] in bugtraq
Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !
daemon@ATHENA.MIT.EDU (ghandi)
Fri Apr 13 14:16:10 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.BSF.4.31.0104122044390.59024-100000@buddha.dopesquad.net>
Date: Fri, 13 Apr 2001 10:33:29 -0600
Reply-To: ghandi <ghandi@MINDLESS.COM>
From: ghandi <ghandi@MINDLESS.COM>
X-To: Johnny Cyberpunk <johncybpk@GMX.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00aa01c0c29f$2b6064a0$2100a8c0@illegalaccess.de>
This fact that in.ftpd crashes with SIGSEGV does not necessarily indicate
that it is a remotely exploitable vulnerability. In this case, it is just
a simple null-pointer dereference. But, as Sun's binary code licence
forbids disassembly, I can only strongly believe or suspect that is a
register-indirect load where that register's value is 0x0 :). I suspect
that it is caused by glob() looking for the home directory of a NULL
username. So, this is not a remotely exploitable vulnerability, it can
simply be used to crash the remote in.ftpd.
However, this can present other problems, so you should ensure that core
dumps are disabled for inetd (add "ulimit -c 0" before starting inetd in
/etc/init.d/inetsvc) or at least that they are not world readable (add a
umask line); they are world readable by default under 2.6.
--
ghandi / ghandi@mindless.com / www.dopesquad.net
"Bein' Crazy is the least of my worries." - Jack Kerouac
C439 2B06 D8D2 A2D8 1ABB 0A55 A61D 9057 63F5 9B1F
