Title: Solaris IN.FTPD CWD Username Enumeration Vulnerability
Severity: HIGH
Description:
Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is a versatile operating system designed for use with machines as small as desktop systems and as large as enterprise systems.
A problem in the ftp daemon included with the Solaris Operating Environment could allow users without access to the local system to gather the names of valid users.
In a typical ftp client-server connection, the ftp client connects to the server, which returns a success (220) message to the client. Upon receiving the 220, the client presents a prompt to the ftp user for a valid login account. Upon successful receipt of the login account, the server returns a request for a password, or 331 message. Upon receiving the 331, the user is prompted for a password. After the user enters the password for the login account, a 230 message is sent indicating successful login.
By using a tool that does not automatically present a login prompt for a 220 message, it is possible to verify valid account names by using a CWD command and a guessed username. This occurs in the control connection to the ftpd, from any port on the client, to port 21 on the server.
After entering a request for a cwd with the home directory of a user, one of two responses is returned by the ftpd. If a valid username has been successfully guessed, a request for a login and password is presented to the client from the ftp daemon. If an invalid user account was requested, an error indicating an invalid login name is returned by the daemon.
Affected Products:
- Sun Solaris 2.6
- Sun Solaris 2.6_x86
- Sun Solaris 7.0
- Sun Solaris 7.0_x86
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
