[20300] in bugtraq
Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit !
daemon@ATHENA.MIT.EDU (elliptic)
Wed Apr 18 13:52:28 2001
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
Message-ID: <NFBBKEINALDCHHOGMECKKEBJCBAA.elliptic@cipherpunks.com>
Date: Wed, 18 Apr 2001 01:49:14 -0700
Reply-To: elliptic <elliptic@CIPHERPUNKS.COM>
From: elliptic <elliptic@CIPHERPUNKS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200104170654.OAA32455@intra.nsfocus.com>
> Yes. It is possible that local user can get the part of shadow file in
> Solaris 2.6 since the core file is world readable.
I've tested this default installations of both 2.7 and 2.8, Sparc platform.
The first test was conducted on 2.7, and resulted in a core file being
generated in the $HOME directory of my user. The file, however, was created
with permissions 0600, root:root owned.
The second test was 2.8 under similar circumstances. Again, a core file was
generated. This time, in the root (/) directory. Same permissions as
previous.
The test was conducted via the local system, telnetting to the ftp daemon
via loopback.
Therefore, it is safe to say these revisions are not vulnerable, as default
permissions do not permit group or public read access.
Cheers,
elliptic
