Re: Aftpd core dump vulnerability

From: Nu Omega Tau (nu_omega_tauat_private)
Date: Mon Jan 07 2002 - 14:13:04 PST

Next message: elijah wright: "Re: ICQ remote buffer overflow vulnerability"

Previous message: Neeko Oni: "Re: Aftpd core dump vulnerability"
Maybe in reply to: Nu Omega Tau: "Aftpd core dump vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I received some further information on this matter since my posting. The daemon is an old one developed by Washington University and was ported to FreeBSD from BSD/OS VPS. The sites I checked al allowed other than anonymous logins and I think the site you came across probably did too as there would be no reason why it would access the password file if it didn't.

That the passwd file retrieved wasn't the real password file is probably partially true. Many hosting providers use, to cut costs, a so-called virtual hosting system, when you telnet or ftp in it seems like you've got an entire operating system for yourself. The truth is, many of these operating systems run simultaniously on the same machine on top of another OS, which in your case probably used the MD5 passwords. In other words, the password file retrieved was the one of one of the virtual operating systems.

I also got some suggestions that this may be a Firewall-1 ftpd, which is called aftpd too. I believe this is incorrect as firewall-1 ftp deamons clearly identify themselves as firewall-1. I think it's save to say that this is an entirely different aftpd.

I think the best solution to this problem would be to switch to a modern and reliable ftpd with good documentation and support, such as proftd or wu_ftpd

Nu

> 
> I, too, came across this vulnerability many months ago and tried to no
> avail to locate the author.  I did, however, find what appeared to be
> the website of the daemon in question (the URL has been lost).
> As to your assumption that the daemon allowed 'regular' (/etc/passwd)
> logins, are you sure?  My test site didn't, and the password file grabbed
> in the core was -not- the system password file.  The daemon used DES for
> the passwords, yet the system used MD5... my test site also gave me the
> appearance that it was the system password file, because the administrator
> gave -almost all- system users accounts on the aftpd.  That system, too,
> was a large hosting company (Canadian?).  If the author is MIA and no point
> of contact can be made, I'm not sure if a vendor solution would be viable.
> Just thought I would add my input into this situation, but from what I've
> seen, only other aftpd user accounts are at risk--hoping, of course, that
> people aren't using the same password for everything they touch.  *sigh*
> 
> Thanks for your time, hope this helps anyone interested,
> 
> .Jeffrey Roberts
>         [Neeko]
>         01/07/02

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com

Next message: elijah wright: "Re: ICQ remote buffer overflow vulnerability"
Previous message: Neeko Oni: "Re: Aftpd core dump vulnerability"
Maybe in reply to: Nu Omega Tau: "Aftpd core dump vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 13:49:58 PST