Vulnerability Development: aix ftpd

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

aix ftpd

From: alex medvedev <alexm () synthesys com>
Date: Thu, 29 Nov 2001 16:01:32 -0600 (CST)

hallo,

aix ftpd does strange things when supplied the notorious globbing pattern.
although it does not crash,
if you repeatedly run "ls ~{" it produces different results:

$ ftp aix5.1-ml01
Connected to aix.machine.com.
220 aix5.1 FTP server (Version 4.1 Tue May 29 11:57:21 CDT 2001) ready.
Name (aix5.1:alexm):
331 Password required for alexm.
Password:
230 User alexm logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,211)
550 Unknown user name after ~
ftp> ls ~{
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls ~{
226 Transfer complete.
ftp: connect: Connection refused
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,212)
227 Entering Passive Mode (10,0,32,2,128,213)
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,214)
550 Unknown user name after ~
ftp> ls ~{
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls ~{
226 Transfer complete.
ftp: connect: Connection refused
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,215)
550 Unknown user name after ~
ftp> ls ~{
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls ~{
226 Transfer complete.
ftp: connect: Connection refused

moreover, after running "ls ~{" once and getting any error message --> you
can not run any commands and will get a connection refused message. after
several attempts the functionality restores. Example:

ftp> ls
227 Entering Passive Mode (10,0,32,2,128,250)
150 Opening data connection for /bin/ls.
total 46797
-rw-------   1 root     system           15 Nov 07 14:38 .bash_history
-rwxr-----   1 alexm    staff           254 Nov 07 14:02 .profile
-rw-------   1 alexm    staff          1458 Nov 08 10:10 .sh_history
drwx------   2 alexm    staff           512 Nov 07 14:04 .ssh
drwxr-xr-x  28 alexm    staff          3584 Nov 08 08:35 perl-5.6.1
-rw-r--r--   1 alexm    staff      23951360 Nov 07 14:04 stable.tar
226 Transfer complete.
ftp> ls ~{
227 Entering Passive Mode (10,0,32,2,128,251)
550 Unknown user name after ~
ftp> ls
150 Opening data connection for /bin/ls.
Passive mode refused.
ftp> ls
226 Transfer complete.
ftp: connect: Connection refused
ftp> ls
227 Entering Passive Mode (10,0,32,2,128,252)
150 Opening data connection for /bin/ls.
total 46797
-rw-------   1 root     system           15 Nov 07 14:38 .bash_history
-rwxr-----   1 alexm    staff           254 Nov 07 14:02 .profile
-rw-------   1 alexm    staff          1458 Nov 08 10:10 .sh_history
drwx------   2 alexm    staff           512 Nov 07 14:04 .ssh
drwxr-xr-x  28 alexm    staff          3584 Nov 08 08:35 perl-5.6.1
-rw-r--r--   1 alexm    staff      23951360 Nov 07 14:04 stable.tar
226 Transfer complete.

i did not have time to mess with it enough,
just thought it was interesting (hi, troy :) )

-alexm
__________________________________________
panic("Aiee, killing interrupt handler!");

By Date By Thread

Current thread:

aix ftpd alex medvedev (Nov 29)
- Re: aix ftpd Peter Kovacs (Nov 30)
  - Re: aix ftpd alex medvedev (Nov 30)
- <Possible follow-ups>
- aix ftpd alex medvedev (Nov 29)
  - RE: aix ftpd David Barroso (Nov 30)