[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] SDI remote ProFTPD exploit

Subject: Re: [cobalt-security] SDI remote ProFTPD exploit
From: Gossi The Dog <gossi@xxxxxxxxxxxxxx>
Date: Thu, 28 Sep 2000 22:28:55 +0100 (BST)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

The issue I'm talking about, setproctitle(), effects anon as well as
non-shell users.  I'm not going to spread FUD here though - linux doesn't
even support this function, so unless Cobalt have done some serious
hacking, I doubt it'll effect anybody.

Having said that, though, FreeBSD did release an advisory recently saying
all versions of ProFTPD prior to RC2 had a remote root comprise.  I
haven't been able to any details about this, nor an exploit.  It's listed
on http://www.freebsd.org/security.



On Thu, 28 Sep 2000, Theodore Jones wrote:

> Gossi,
> 
> Is this exploit only for users who have a shell account on the target RaQ?  or could it be
> channeled through anon FTP at all?
> 
> ~ Theo
> 
> Gossi The Dog wrote:
> 
> > If you search around on SecurityFocus.com, and look in the bugtraq
> > archives you will find a post from me a few months back about various
> > issues with Cobalt RaQ's.  The first two points have now been fixed
> > (well,
> > patches have been release).  The final note was about the fact that
> > ProFTPD pre9 has a security hole.
> >
> > To cut a long story short, emails were exchanged on this list with Cobalt
> > about the issue, Cobalt admitted there was a problem but declared that
> > ProFTPD rc1 (the current version at the time) had a problem with
> > chmodding, so no patch could be released.
> >
> > After this point?  Well, not much happened.
> >
> > If SDI has made an exploit for the problem (wouldn't suprise me), I doubt
> > it will work against RaQ's.  However, its still an issue.  Mind you,
> > having said this, actually upgrading ProFTPD is a bit of a nightmare at
> > the moment due to there being no single, stable version of it available.
> >
> > Pre10 has a format string bug.  RC1 apparently has a chmod bug.  RC2
> > breaks PASV.  CVS probably isn't stable enough for production environment.
> >
> > On Wed, 27 Sep 2000, Theodore Jones wrote:
> >
> > > Brian,
> > >
> > > Thanks.  I'm trying to track it down as well.
> > >
> > > ~ Theo
> > >
> > > Brian Foy Jr wrote:
> > >
> > > > Your right. In the end getting the information out there (and that includes the
> > > > actual exploits so we can test our servers) is the only way to help us figure out
> > > > how vaunerable we are, and how hard we have to push for a fix.
> > > >
> > > > I'm off to look up the exploit at:  www.securityfocus.com
> > > > They do a pretty good job of documenting this type of thing
> > > > and often have sugestions on how to fix it.
> > > >
> > > > Brian
> > > >
> > > > Theodore Jones wrote:
> > > >
> > > > > Well,
> > > > >
> > > > > If the hackers saw the last messages and indeed are monitoring this list, they
> > > > > already know about it I would guess.  I probably could have done a search to
> > > > > track this report down, but I'll admit to being slogged with "issues" all day
> > > > > and was looking for a lazy alternative....
> > > > >
> > > > > I appreciate your concern, but the "security by obscurity" issue has been
> > > > > thrashed out before in this forum.  I say let the information flow, block the
> > > > > holes when we find out about them, and let everyone here know loud and clear....
> > > > >
> > > > > My humble opinion only,
> > > > >
> > > > > ~ Theo
> > > > >
> > > > > Mark Baker - Cobalt Lists wrote:
> > > > >
> > > > > > Is that a good idea? This list is watched by hackers.
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Mark Baker
> > > > > > Dark Marketing Ltd
> > > > > > http://www.yoursitehere.co.uk
> > > > > >
> > > > > > Reply e-mail: mark@xxxxxxxxxxxxxxxxxx
> > > > > > ----- Original Message -----
> > > > > > From: Theodore Jones <theoj@xxxxxxxxxxxxx>
> > > > > > To: <cobalt-security@xxxxxxxxxxxxxxx>
> > > > > > Sent: Wednesday, September 27, 2000 7:44 PM
> > > > > > Subject: Re: [cobalt-security] SDI remote ProFTPD exploit
> > > > > >
> > > > > > > Can you send out a link to the report on this exploit possibly?
> > > > > > >
> > > > > > > ~ Theo
> > > > > > >
> > > > > > > Audric Leperdi wrote:
> > > > > > >
> > > > > > > > SDI remote ProFTPD exploit (Sept2K)
> > > > > > > >
> > > > > > > > Does the latest patch fix this exploit now publicly & widely available??
> > > > > > > >
> > > > > > > > Audric Leperdi
> > > > > > > > evolutiva s.r.l. - Via Varallo, 30 - 10153 Torino (TO) - Italy
> > > > > > > > Tel. +39.011.8121617 - Fax +39.011.8121614 - http://www.evolutiva.com
> > > > > > > > _____________________________________________________________________
> > > > > > > >
> > > > > > > > Il contenuto di questo messaggio è confidenziale e la lettura o la
> > > > > > > > divulgazione non autorizzata dello stesso viola i diritti di privacy del
> > > > > > > > mittente e del desinatario.
> > > > > > > > Se avete ricevuto questo messaggio per errore siete pregati di
> > > > > > distruggerlo
> > > > > > > > e di avvertire il mittente.
> > > > > > > >
> > > > > > > > This message is confidential and unauthorised reading or disclosing of
> > > > > > it
> > > > > > > > infringes privacy rights of sender and recipent.
> > > > > > > > If you are not the intended recipient of this message, please destroy it
> > > > > > and
> > > > > > > > inform the sender.
> > > > > > > > Tel 011 8121617 - Fax 011 8121614
> > > > > > > >
> > > > > > > > _______________________________________________
> > > > > > > > cobalt-security mailing list
> > > > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > > cobalt-security mailing list
> > > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > > >
> > > > > > _______________________________________________
> > > > > > cobalt-security mailing list
> > > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > > >
> > > > > _______________________________________________
> > > > > cobalt-security mailing list
> > > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > > >
> > > > _______________________________________________
> > > > cobalt-security mailing list
> > > > cobalt-security@xxxxxxxxxxxxxxx
> > > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> > > _______________________________________________
> > > cobalt-security mailing list
> > > cobalt-security@xxxxxxxxxxxxxxx
> > > http://list.cobalt.com/mailman/listinfo/cobalt-security
> > >
> >
> > _______________________________________________
> > cobalt-security mailing list
> > cobalt-security@xxxxxxxxxxxxxxx
> > http://list.cobalt.com/mailman/listinfo/cobalt-security
> 
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>

References:
- Re: [cobalt-security] SDI remote ProFTPD exploit
  - From: Theodore Jones

Prev by Date: Re: [cobalt-security] SDI remote ProFTPD exploit
Next by Date: Re: [cobalt-security] SDI remote ProFTPD exploit
Previous by thread: Re: [cobalt-security] SDI remote ProFTPD exploit
Next by thread: Re: [cobalt-security] SDI remote ProFTPD exploit

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index