[15453] in bugtraq
Re: Netscape FTP Server - "Professional" as hell :>
daemon@ATHENA.MIT.EDU (Luis Pinto)
Fri Jun 23 17:55:14 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.20.0006230332210.8829-100000@student.dei.uc.pt>
Date: Fri, 23 Jun 2000 03:39:37 +0100
Reply-To: Luis Pinto <lmpinto@STUDENT.DEI.UC.PT>
From: Luis Pinto <lmpinto@STUDENT.DEI.UC.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ---------- Forwarded message ----------
Date: Wed, 21 Jun 2000 14:13:33 +0200
From: Michal Zalewski <lcamtuf@TPI.PL>
[...]
> $ ftp ftp.XXXX.xxx
> Connected to ftp.XXXX.xxx.
> 220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services
> 220 You will be logged off after 1200 seconds of inactivity.
> Name (ftp.XXXX.xxx:lcamtuf): anonymous
> 331 Anonymous user OK, send e-mail address as password.
> Password:
[...]
> $ cat KUKU
> root:x:0:1:Super-User:/:/sbin/sh
> daemon:x:1:1::/:
> bin:x:2:2::/usr/bin:
> sys:x:3:3::/:
> adm:x:4:4:Admin:/var/adm:
> ...
Believe it or not, i got exactly the same result with
wu-ftpd-2.6.0... Proftpd is not vulnerable.
> Consequences:
> -------------
>
> - downloading / uploading any files to remote system,
> regardless of (poorly) implemented limits, with
> ftp daemon privledges (you can exploit eg. /tmp races,
> download vital files from system or other accounts etc)
>
> - this ftp server supports LDAP users; different LDAP
> accounts are served on single physical UID. It means,
> any user can access and eventually overwrite files
> on other accounts; as it's used in cooperation with
> webserver, usually virutal web servers are affected,
>
> - by accessing eg.
> /../../../../../../../../opt/netscape/ftpd/conf/ftpd.ini,
> you can simply grab LDAP passwords.
I hate to disagree with you, but the passwd file you got is the ftp
server, not the /etc/passwd. So, unless ftpd.ini is under the ftp root,
you cant grab it.
>
> Fix:
> ----
>
> ? Switching to open-source will be good. To developers: man chroot.
Switching to open-source? I wish you weren't so
generalist. Wu-ftpd *is* open-source :)))
But the "man chroot" advice is still valid :)))))
Thanks to Goncalo Pereira <goncalo@dei.uc.pt> for co-finding this
out with me ;-)
Regards,
Luis Pinto
- -----------------------------------------------------------------------
http://student.dei.uc.pt/~lmpinto - bofh@bofh.ff.uc.pt - ICQ #15663369
- -----------------------------------------------------------------------
"Open source software - with no walls and fences, who needs Windows and
Gates?"
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOVLN7YfF8HgH+Y51EQKj5QCfdOJqmQDEybz2yUuD55pwvO7bROoAniNz
75PG9NETUW1GWUBxKFiwSr3o
=hRjz
-----END PGP SIGNATURE-----
