Re: NcFTP - password leaking

To: Konstantin Gavrilenko <mlists@xxxxxxxxxx>
Subject: Re: NcFTP - password leaking
From: Frank v Waveren <fvw@xxxxxx>
Date: Tue, 20 Apr 2004 19:02:15 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <408464C2.8070609@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <408464C2.8070609@xxxxxxxxxx>
User-agent: Mutt/1.5.5.1+cvs20040105i

On Tue, Apr 20, 2004 at 12:46:10AM +0100, Konstantin Gavrilenko wrote:
> ncftp client does not hash the password under certain conditions. And 
> such information is made available to other users through `ps aux`
[snip]
> root       798  0.0  0.1  2020 1064 pts/3    S    15:04   0:00 ncftp
> ftp://testuser:testpassword@xxxxxxxxxxxxxxxxxxx/

I assume by hashing you mean scribbling over the password value in
ARGV? That still leaves a race condition where the password is visible
between the execve and the overwriting; There is no secure way of
passing secrets on the commandline on a multiuser unix system. Use a
file descriptor or a file (either of which can ofcourse be referenced
on the command line).

-- 
Frank v Waveren                                      Fingerprint: 9106 FD0D
fvw@[var.cx|stack.nl] ICQ#10074100                      D6D9 3E7D FAF0 92D1
Public key: hkp://wwwkeys.pgp.net/8D54EB90              3931 90D6 8D54 EB90

References:
- NcFTP - password leaking
  - From: Konstantin Gavrilenko

Prev by Date: US-CERT Technical Cyber Security Alert TA04-111A -- Vulnerabilities in TCP
Next by Date: Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
Previous by thread: NcFTP - password leaking
Next by thread: Re: NcFTP - password leaking
Index(es):
- Date
- Thread