[Previous] [Next] [Index]
[Thread]
Re: NCSA httpd 1.3 vulnerability still unsolved? (And where to go to solve it?)
On Sun, 9 Apr 1995, Scott Powers wrote:
> I have to argue with this...set up a telnet server? Well..okay..supposing
> "nobody" was able to _get_ the _modified_ telnet server from another site
> and get it running on the hacked site...nobody is still nobody. It has _no_
> login. It has no home directory. This "nobody" would have to change the
> passwd file to give an account to someone...something "nobody" just cannot
> do.
Sorry, you are incorrect. There is no reason that nobody needs a login
or password. All I'd have to do is bind to a socket, listen, and
fork-exec a shell for an incoming request. Why on earth would I need a
login for that? Remember, the server is glad to execute code for me.
> > Then Mr. Nobody can glean all sorts of data about your
> > internal net, and almost certainly find some more serious holes on the
> > server machine or some others.
>
> You can find these things out without being a login process on the machine...
Not necessarily, this depends on configuration.
> > Or, Mr. Nobody might set up the machine
> > as a warez distribtuion site.
>
> Now this I would like to see done. With no login process.
Sheesh, have you heard of tftp? You are speculating about an area you do
not know sufficiently well to comment on.
> I agree whole-heartedly with this. There is a vulnerability. It does exist.
> I think it is a good idea to educate people that it is there and the hole
> should be plugged, but let's stay within the realm of possibilities as far
> as what a hacker can and cannot do.
>
> A hacker can, with this hole, grab your passwd file, mail it to an anon
> address, run a password cracker on it, THEN get access to a login on your
> machine at which point all of the above scenario's do come true. As long as
> you realize that it all depends on what account the hacker cracks into.
You are wrong. I can't put it any more succinctly than that.
--
Paul Phillips EMAIL: psp@ucsd.edu PHONE: (619) 220-0850
WWW: http://www.primus.com/staff/paulp/ FAX: (619) 220-0873
References: