[15468] in bugtraq
Re: Netscape FTP Server - "Professional" as hell :>
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sat Jun 24 15:45:03 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0006241129510.11279-100000@dione.ids.pl>
Date: Sat, 24 Jun 2000 11:32:22 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Luis Pinto <lmpinto@STUDENT.DEI.UC.PT>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.20.0006230332210.8829-100000@student.dei.uc.pt>
On Fri, 23 Jun 2000, Luis Pinto wrote:
> > $ cat KUKU
> > root:x:0:1:Super-User:/:/sbin/sh
> > daemon:x:1:1::/:
> > bin:x:2:2::/usr/bin:
> > sys:x:3:3::/:
> > adm:x:4:4:Admin:/var/adm:
> > ...
>
> Believe it or not, i got exactly the same result with
> wu-ftpd-2.6.0... Proftpd is not vulnerable.
wu-ftpd on anonymous account id going chroot(), so you'll get fake
/etc/passwd (/home/ftp/etc/passwd). On luser accounts, by default wu is
NOT doing chroot, and you have access to whole filesystem with your
privledges. But it's possible to chroot() every user, and in this case it
will work properly.
> I hate to disagree with you, but the passwd file you got is the ftp
> server, not the /etc/passwd. So, unless ftpd.ini is under the ftp
> root, you cant grab it.
No. Please try it on Netscape FTP, ok?:P There's no such thing as ftp
server /etc/passwd, unlike wu-ftpd.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
