Title: Solaris FTP Core Dump Shadow Password Recovery Vulnerability
Severity: MODERATE
Description:
Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.
A previously existing problem in the ftp server included with the Solaris Operating Environment could allow a user with local access, or the ability to log in anonymously via ftp with access to the root directory, to recover sensitive information, and potentially gain elevated privileges.
Due to the buffer overflow contained in glob(), it is possible to cause a buffer overflow in the ftp daemon included with Solaris. By connecting to an ftp server with a client that does not conform ftp standards, a user may enter the login name of a correct user, and incorrect password for the user.
Upon receiving an error indicating a failed login, the user may issue a CWD command requesting the home directory (~) of the desired user. This causes the ftp server to exit, dumping core.
The problem occurs in the core file. On systems which have configurations set to create core files from processes owned by root with permissions greater than 0600, it is possible for a local user to view this core file. It may be possible for the user to find encrypted passwords within this core file, which could result in an offline dictionary attack against the passwords, and potentially elevated privileges.
Affected Products:
- Sun Solaris 2.6
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
