Bugtraq mailing list archives

Re: Netscape FTP Server - "Professional" as hell :>

From: lmpinto () STUDENT DEI UC PT (Luis Pinto)
Date: Fri, 23 Jun 2000 03:39:37 +0100


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------- Forwarded message ----------
Date: Wed, 21 Jun 2000 14:13:33 +0200
From: Michal Zalewski <lcamtuf () TPI PL>

[...]

$ ftp ftp.XXXX.xxx
Connected to ftp.XXXX.xxx.
220-FTP Server - Version 1.36 - (c) 1999 Netscape Professional Services
220 You will be logged off after 1200 seconds of inactivity.
Name (ftp.XXXX.xxx:lcamtuf): anonymous
331 Anonymous user OK, send e-mail address as password.
Password:


[...]

$ cat KUKU
root:x:0:1:Super-User:/:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
...


Believe it or not, i got exactly the same result with
wu-ftpd-2.6.0... Proftpd is not vulnerable.

Consequences:
-------------

- downloading / uploading any files to remote system,
  regardless of (poorly) implemented limits, with
  ftp daemon privledges (you can exploit eg. /tmp races,
  download vital files from system or other accounts etc)

- this ftp server supports LDAP users; different LDAP
  accounts are served on single physical UID. It means,
  any user can access and eventually overwrite files
  on other accounts; as it's used in cooperation with
  webserver, usually virutal web servers are affected,

- by accessing eg.
  /../../../../../../../../opt/netscape/ftpd/conf/ftpd.ini,
  you can simply grab LDAP passwords.


I hate to disagree with you, but the passwd file you got is the ftp
server, not the /etc/passwd. So, unless ftpd.ini is under the ftp root,
you cant grab it.


Fix:
----

? Switching to open-source will be good. To developers: man chroot.


        Switching to open-source? I wish you weren't so
generalist. Wu-ftpd *is* open-source :)))

        But the "man chroot" advice is still valid :)))))

        Thanks to Goncalo Pereira <goncalo () dei uc pt> for co-finding this
out with me ;-)

                                         Regards,
                                        Luis Pinto
- -----------------------------------------------------------------------
http://student.dei.uc.pt/~lmpinto -  bofh () bofh ff uc pt - ICQ #15663369
- -----------------------------------------------------------------------
"Open source software - with no walls and fences, who needs Windows and
Gates?"

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOVLN7YfF8HgH+Y51EQKj5QCfdOJqmQDEybz2yUuD55pwvO7bROoAniNz
75PG9NETUW1GWUBxKFiwSr3o
=hRjz
-----END PGP SIGNATURE-----

Current thread:

Netscape FTP Server - "Professional" as hell :> Michal Zalewski (Jun 21)
- easy DoS of LDAP services in case of naive programming bert hubert (Jun 21)
- WuFTPD: Providing *remote* root since at least1994 tf8 (Jun 22)
- <Possible follow-ups>
- Re: Netscape FTP Server - "Professional" as hell :> Luis Pinto (Jun 22)
  - Re: Netscape FTP Server - "Professional" as hell :> Michal Zalewski (Jun 24)

Bugtraq mailing list archives

Re: Netscape FTP Server - &quot;Professional&quot; as hell :>

Current thread:

Re: Netscape FTP Server - "Professional" as hell :>