Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Aftpd core dump vulnerability

From: Nu Omega Tau <nu_omega_tau () altavista com>
Date: 7 Jan 2002 14:13:04 -0800
I received some further information on this matter since my posting. The daemon is an old one developed by Washington 
University and was ported to FreeBSD from BSD/OS VPS. The sites I checked al allowed other than anonymous logins and I 
think the site you came across probably did too as there would be no reason why it would access the password file if it 
didn't.

That the passwd file retrieved wasn't the real password file is probably partially true. Many hosting providers use, to 
cut costs, a so-called virtual hosting system, when you telnet or ftp in it seems like you've got an entire operating 
system for yourself. The truth is, many of these operating systems run simultaniously on the same machine on top of 
another OS, which in your case probably used the MD5 passwords. In other words, the password file retrieved was the one 
of one of the virtual operating systems.

I also got some suggestions that this may be a Firewall-1 ftpd, which is called aftpd too. I believe this is incorrect 
as firewall-1 ftp deamons clearly identify themselves as firewall-1. I think it's save to say that this is an entirely 
different aftpd.

I think the best solution to this problem would be to switch to a modern and reliable ftpd with good documentation and 
support, such as proftd or wu_ftpd

Nu



I, too, came across this vulnerability many months ago and tried to no
avail to locate the author.  I did, however, find what appeared to be
the website of the daemon in question (the URL has been lost).
As to your assumption that the daemon allowed 'regular' (/etc/passwd)
logins, are you sure?  My test site didn't, and the password file grabbed
in the core was -not- the system password file.  The daemon used DES for
the passwords, yet the system used MD5... my test site also gave me the
appearance that it was the system password file, because the administrator
gave -almost all- system users accounts on the aftpd.  That system, too,
was a large hosting company (Canadian?).  If the author is MIA and no point
of contact can be made, I'm not sure if a vendor solution would be viable.
Just thought I would add my input into this situation, but from what I've
seen, only other aftpd user accounts are at risk--hoping, of course, that
people aren't using the same password for everything they touch.  *sigh*

Thanks for your time, hope this helps anyone interested,

.Jeffrey Roberts
        [Neeko]
        01/07/02


Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com
Previous By Date Next
Previous By Thread Next

Current thread: