lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20040420170215.GA15050@var.cx>
Date: Tue, 20 Apr 2004 19:02:15 +0200
From: Frank v Waveren <fvw@....cx>
To: Konstantin Gavrilenko <mlists@...ont.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: NcFTP - password leaking


On Tue, Apr 20, 2004 at 12:46:10AM +0100, Konstantin Gavrilenko wrote:
> ncftp client does not hash the password under certain conditions. And 
> such information is made available to other users through `ps aux`
[snip]
> root       798  0.0  0.1  2020 1064 pts/3    S    15:04   0:00 ncftp
> ftp://testuser:testpassword@...o.dmz.arhont.com/

I assume by hashing you mean scribbling over the password value in
ARGV? That still leaves a race condition where the password is visible
between the execve and the overwriting; There is no secure way of
passing secrets on the commandline on a multiuser unix system. Use a
file descriptor or a file (either of which can ofcourse be referenced
on the command line).

-- 
Frank v Waveren                                      Fingerprint: 9106 FD0D
fvw@[var.cx|stack.nl] ICQ#10074100                      D6D9 3E7D FAF0 92D1
Public key: hkp://wwwkeys.pgp.net/8D54EB90              3931 90D6 8D54 EB90

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ