ISS X-Force Database: solaris-ftp-shadow-recovery(6422): Sun Solaris FTP server allows attackers to recover shadow file

Sun Solaris FTP server allows attackers to recover shadow file

solaris-ftp-shadow-recovery (6422)

Medium Risk

Description:

The FTP server shipped with Sun Solaris is vulnerable to a buffer overflow in the glob() function. A remote attacker can overflow a buffer to cause the system to dump core. By using the "CWD~" command and the glob function exploit, an attacker can cause parts of the shadow file, which includes sensitive information such as encrypted passwords, to be dumped to core. A local attacker could exploit this vulnerability to obtain passwords of other users from the shadow file and possibly gain elevated privileges on the system.

Platforms Affected:

Sun, Solaris 2.6
Sun, Solaris 7.0
Sun, Solaris 8

Remedy:

Apply the appropriate patch for your system, as listed in Sun(sm) Alert Notification 27843. See References:

Solaris 5: 103577-13
Solaris 5 x86: 103578-13
Solaris 5.1: 103603-16
Solaris 5.1 x86: 103604-16
Solaris 6: 106301-04
Solaris 6 x86: 106302-04
Solaris 7: 110646-03
Solaris 7 x86: 110647-03
Solaris 8: 111606-02
Solaris 8 x86: 111607-02

Consequences:

Gain Privileges

References:

BugTraq Mailing List, Tue Apr 17 2001 - 01:44:49 CDT, Re: SUN SOLARIS 5.6/5.7 FTP Globbing Exploit ! at http://archives.neohapsis.com/archives/bugtraq/2001-04/0285.html.
Sun Alert ID: 27843, FTP Server Buffer Overflows May Allow Unauthorized Root Access and Memory Leaks Cause Possible System Hangs at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F27843&zone_32=4436988.
BID-2601: Solaris FTP Core Dump Shadow Password Recovery Vulnerability
CVE-2001-0421: FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition.

Reported:

Apr 17, 2001

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page