tech-security: Are SA2002-027 and ftpd core dumps related? (xs4)

Subject: Are SA2002-027 and ftpd core dumps related? (xs4)
To: NetBSD tech-security list <tech-security@netbsd.org>
From: Rogier Krieger <rogier@virgiel.nl>
List: tech-security
Date: 11/20/2002 17:09:05

Hello everyone,

Reading the SA, I wonder whether the problem mentioned in the
advisory can cause the regular NetBSD ftpd to dump core.

Twice now, the security report informed me of ftpd.core files in the
system's root directory. My connection logs tell me that, in both
cases, the remote connection comes from a source unknown to me
(somewhere in France). None of my registered users - I don't allow
anonymous access - seem to be responsible for these connections, they
seem to be probes or port scans. In my message logs, I cannot find
any odd information regarding ftpd connections or troubles
experienced by the system as a whole. Only the connections and times
on the core dumps coincide; that's all I have for data. I hope it's
not too thin for 'evidence'.

Trying to debug the core dumps, gdb tells me they are not in a format
my gdb recognises. Gdb itself is prepared for 'i386--netbsdelf' on my
system. When using less to dig through the core dump, I find far too
much information I that makes me nervous. The file seems to contain
the contents of the master password database, among others. This
could of course be regular behaviour for a server running on port 21,
but it makes me hesitant to send out any core dumps to the list.

This is the output from gdb I receive (sorry for any wrapping):

GNU gdb 5.0nb1 Copyright 2000 Free Software Foundation, Inc. GDB is
free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions. Type "show copying" to see the conditions. There is
absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386--netbsdelf"..."/ftpd.core": not in
executable format: File format not recognized


The machine I use is a regular NetBSD/i386 version 1.6. I updated my
sources and userland as far as SA2002-026. I only saw the new
advisories an hour or so ago.

Does anyone know whether a core dump is a feasible scenario? I am not
into the technical details regarding the advisory. I will gladly
upgrade to the new ftpd version, as soon as I can get it updated,
built and installed.

I'd appreciate any insight. Thanks in advance,

Rogier Krieger


--
"Eagles fly, but weasels don't get caught in jet engines..."