 
Bugtraq mailing list archives
Re: NcFTP - password leaking
From: Frank v Waveren <fvw () var cx>
Date: Tue, 20 Apr 2004 19:02:15 +0200
On Tue, Apr 20, 2004 at 12:46:10AM +0100, Konstantin Gavrilenko wrote:
ncftp client does not hash the password under certain conditions. And such information is made available to other users through `ps aux`
[snip]
root 798 0.0 0.1 2020 1064 pts/3 S 15:04 0:00 ncftp ftp://testuser:testpassword () filo dmz arhont com/
I assume by hashing you mean scribbling over the password value in ARGV? That still leaves a race condition where the password is visible between the execve and the overwriting; There is no secure way of passing secrets on the commandline on a multiuser unix system. Use a file descriptor or a file (either of which can ofcourse be referenced on the command line). -- Frank v Waveren Fingerprint: 9106 FD0D fvw@[var.cx|stack.nl] ICQ#10074100 D6D9 3E7D FAF0 92D1 Public key: hkp://wwwkeys.pgp.net/8D54EB90 3931 90D6 8D54 EB90
Current thread:
- NcFTP - password leaking Konstantin Gavrilenko (Apr 20)
- Re: NcFTP - password leaking Frank v Waveren (Apr 20)
- Re: NcFTP - password leaking Alex Behar (Apr 20)
 


