Ok, first I'd like to say that after hours of research, I still have no idea who really wrote aftpd nor if it has an official homepage. There is one aftpd site I could find but it was talking about an ftpd that only allows anonymous logins, this also allows normal ones. I still think this vulnerability is worth mentioning as at least one large US hosting provider was affected by this bug. When connecting to it, the ftp daemon identifies itself as: 220 example.com ftp server (Version 5.4.4) ready. The machines I saw it running on were all FreeBSD 4.2 but I've confirmed this is not a standard FreeBSD daemon. The vulnerability is the following: when any user (including an anonymous one) executes the following command on the ftp server: cd ~ (yes it's that simple) aftpd dumps core in the current directory. The aftpd.core file can be downloaded but wouldn't contain a lot of valuable information. But, if a user would try to login first with another username and the wrong password, the daemon reads the entire passwordfile into it's memory. When a user afterwards logs in with anonymous the cd ~ trick can be used to dump the core with the encrypted passwords in it. These can be cracked with your favourite password cracker. Al known users were notified. (1 user, >10000 hosts) Vendor was not notified, my apologies for this, I just have no idea who he is. If anyone has some more information about this daemon or knows the vendor please contact me so appropiate steps can be taken. Nu Omega Tau -------------------- Favourite pickup line: Hey baby, wanna synchronize sequence numbers? Warning: not always effective -------------------- Find the best deals on the web at AltaVista Shopping! http://www.shopping.altavista.com
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 06:26:21 PST