[15763] in bugtraq
Re: ftpd: the advisory version
daemon@ATHENA.MIT.EDU (Richard Rager)
Wed Jul 12 17:16:45 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.10007111137420.22359-100000@penguin.penguinmaster.com>
Date: Tue, 11 Jul 2000 11:47:49 -0600
Reply-To: Richard Rager <kb8rln@PENGUINMASTER.COM>
From: Richard Rager <kb8rln@PENGUINMASTER.COM>
X-To: "D. J. Bernstein" <djb@CR.YP.TO>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000710201100.10973.qmail@cr.yp.to>
On Mon, 10 Jul 2000, D. J. Bernstein wrote:
> 1. Surely there are other people still wondering about proftpd. Can an
> attacker take over proftpd 1.2.0pre10? CERT seems to say yes, but the
> maintainer says ``relatively minor.'' What's the deal?
>
Yes I have had someone get a shell account on my box with proftpd
1.2.0pre10. I was able to keep him out for a little more with time with
kernel 2.2.16 until the code changed. This is in the wild!
> 2. I agree that setproctitle() is rather pointless. My comments were
> about all functions with printf()-type format strings. Typical strings
> should fail as format strings.
>
Yes
I was running proftpd in stand alone mode. The proftpd dies in some of
these attacts. It was running as user ftp.
Enjoy,
Richard
