Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)

• To: www-security@ns1.rutgers.edu
• Subject: Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
• From: Paul Phillips <psphilli@sdcc8.UCSD.EDU>
• Date: Sun, 9 Apr 1995 17:33:28 -0700 (PDT)
• In-Reply-To: <9504091802.AA02900@shire.ncsa.uiuc.edu.>
• Reply-To: Paul Phillips <psphilli@sdcc8.UCSD.EDU>

On Sun, 9 Apr 1995, Scott Powers wrote:

> I have to argue with this...set up a telnet server? Well..okay..supposing
> "nobody" was able to _get_ the _modified_ telnet server from another site
> and get it running on the hacked site...nobody is still nobody. It has _no_
> login. It has no home directory. This "nobody" would have to change the
> passwd file to give an account to someone...something "nobody" just cannot
> do.

Sorry, you are incorrect.  There is no reason that nobody needs a login 
or password.  All I'd have to do is bind to a socket, listen, and 
fork-exec a shell for an incoming request.  Why on earth would I need a 
login for that? Remember, the server is glad to execute code for me.

> > Then Mr. Nobody can glean all sorts of data about your 
> > internal net, and almost certainly find some more serious holes on the 
> > server machine or some others.  
> 
> You can find these things out without being a login process on the machine...

Not necessarily, this depends on configuration.

> > Or, Mr. Nobody might set up the machine 
> > as a warez distribtuion site.  
> 
> Now this I would like to see done. With no login process.

Sheesh, have you heard of tftp? You are speculating about an area you do 
not know sufficiently well to comment on.

> I agree whole-heartedly with this. There is a vulnerability. It does exist.
> I think it is a good idea to educate people that it is there and the hole
> should be plugged, but let's stay within the realm of possibilities as far
> as what a hacker can and cannot do.
> 
> A hacker can, with this hole, grab your passwd file, mail it to an anon
> address, run a password cracker on it, THEN get access to a login on your
> machine at which point all of the above scenario's do come true. As long as
> you realize that it all depends on what account the hacker cracks into.

You are wrong.  I can't put it any more succinctly than that.

--
Paul Phillips       EMAIL: psp@ucsd.edu       PHONE: (619) 220-0850 
WWW: http://www.primus.com/staff/paulp/         FAX: (619) 220-0873

• Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
• From: spowers@shire.ncsa.uiuc.edu (Scott Powers)

• Previous: Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
• Next: Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
• Index(es):
  • Index
  • Thread