Bugtraq mailing list archives
Re: Netscape FTP Server - "Professional" as hell :>
From: lmpinto () STUDENT DEI UC PT (Luis Pinto)
Date: Fri, 23 Jun 2000 03:39:37 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------- Forwarded message ---------- Date: Wed, 21 Jun 2000 14:13:33 +0200 From: Michal Zalewski <lcamtuf () TPI PL> [...]
$ ftp ftp.XXXX.xxx Connected to ftp.XXXX.xxx. 220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services 220 You will be logged off after 1200 seconds of inactivity. Name (ftp.XXXX.xxx:lcamtuf): anonymous 331 Anonymous user OK, send e-mail address as password. Password:
[...]
$ cat KUKU root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: ...
Believe it or not, i got exactly the same result with wu-ftpd-2.6.0... Proftpd is not vulnerable.
Consequences: ------------- - downloading / uploading any files to remote system, regardless of (poorly) implemented limits, with ftp daemon privledges (you can exploit eg. /tmp races, download vital files from system or other accounts etc) - this ftp server supports LDAP users; different LDAP accounts are served on single physical UID. It means, any user can access and eventually overwrite files on other accounts; as it's used in cooperation with webserver, usually virutal web servers are affected, - by accessing eg. /../../../../../../../../opt/netscape/ftpd/conf/ftpd.ini, you can simply grab LDAP passwords.
I hate to disagree with you, but the passwd file you got is the ftp server, not the /etc/passwd. So, unless ftpd.ini is under the ftp root, you cant grab it.
Fix: ---- ? Switching to open-source will be good. To developers: man chroot.
Switching to open-source? I wish you weren't so generalist. Wu-ftpd *is* open-source :))) But the "man chroot" advice is still valid :))))) Thanks to Goncalo Pereira <goncalo () dei uc pt> for co-finding this out with me ;-) Regards, Luis Pinto - ----------------------------------------------------------------------- http://student.dei.uc.pt/~lmpinto - bofh () bofh ff uc pt - ICQ #15663369 - ----------------------------------------------------------------------- "Open source software - with no walls and fences, who needs Windows and Gates?" -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOVLN7YfF8HgH+Y51EQKj5QCfdOJqmQDEybz2yUuD55pwvO7bROoAniNz 75PG9NETUW1GWUBxKFiwSr3o =hRjz -----END PGP SIGNATURE-----
Current thread:
- Netscape FTP Server - "Professional" as hell :> Michal Zalewski (Jun 21)
- easy DoS of LDAP services in case of naive programming bert hubert (Jun 21)
- WuFTPD: Providing *remote* root since at least1994 tf8 (Jun 22)
- <Possible follow-ups>
- Re: Netscape FTP Server - "Professional" as hell :> Luis Pinto (Jun 22)
- Re: Netscape FTP Server - "Professional" as hell :> Michal Zalewski (Jun 24)