{"id": "OSVDB:6087", "bulletinFamily": "software", "title": "FreeBSD Sysinstall Anonymous FTP Misconfiguration", "description": "## Vulnerability Description\nFreeBSD contains a flaw that may allow a malicious user to access the platform. The issue is triggered when a malicious user logs onto the victim system using a passwordless account \"ftp\" that is automatically created by sysinstall, while an authorized user is running the sysinstall utility. It is possible that the flaw may allow shell access (via /bin/date) resulting in a loss of integrity.\n## Solution Description\nIt is possible to correct the flaw by implementing the following workaround: use the vipw command to change \"ftp::\" to \"ftp:*:\" and the shell from \"/bin/date\" to \"/nonexistent\".\n\nAlso, FreeBSD has released a patch.\n## Short Description\nFreeBSD contains a flaw that may allow a malicious user to access the platform. The issue is triggered when a malicious user logs onto the victim system using a passwordless account \"ftp\" that is automatically created by sysinstall, while an authorized user is running the sysinstall utility. It is possible that the flaw may allow shell access (via /bin/date) resulting in a loss of integrity.\n## References:\nVendor URL: http://www.freebsd.org\nMail List Post: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/old/FreeBSD-SA-97:03.sysinstall.asc\nISS X-Force ID: 7537\n[CVE-1999-1298](https://vulners.com/cve/CVE-1999-1298)\n", "published": "1997-04-07T00:00:00", "modified": "1997-04-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:6087", "reporter": "OSVDB", "references": [], "cvelist": ["CVE-1999-1298"], "type": "osvdb", "lastseen": "2017-04-28T13:20:00", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "5cae359ecde0ee2b42ef9bc986fcd987"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "ff827fcf06687162eca0fe43c2a692b8"}, {"key": "cvss", "hash": "e5d275b3ebd62646b78320753699e02e"}, {"key": "description", "hash": "12692fece806f5c3499f3b5414ca201d"}, {"key": "href", "hash": "b7eae32f861fa5c16656024f249e9b8d"}, {"key": "modified", "hash": "88dd0e8c6c33a45be85514d7d4aad1fb"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "88dd0e8c6c33a45be85514d7d4aad1fb"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "49ddee5afd181af4af0b40f4a0cb8ae2"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "hash": "b3301af16c6e70efc9de5d6e2cff2ba5d6121dec79269ff56d020d686c867667", "viewCount": 0, "objectVersion": "1.2", "affectedSoftware": [{"name": "FreeBSD", "operator": "eq", "version": "2.2"}, {"name": "FreeBSD", "operator": "eq", "version": "2.2.1"}, {"name": "FreeBSD", "operator": "eq", "version": "2.1.5"}, {"name": "FreeBSD", "operator": "eq", "version": "2.1.7"}, {"name": "FreeBSD", "operator": "eq", "version": "2.1"}, {"name": "FreeBSD", "operator": "eq", "version": "2.1.6"}], "enchantments": {"vulnersScore": 1.2}}

{"result": {"cve": [{"id": "CVE-1999-1298", "type": "cve", "title": "CVE-1999-1298", "description": "Sysinstall in FreeBSD 2.2.1 and earlier, when configuring anonymous FTP, creates the ftp user without a password and with /bin/date as the shell, which could allow attackers to gain access to certain system resources.", "published": "1997-04-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1298", "cvelist": ["CVE-1999-1298"], "lastseen": "2016-09-03T02:27:12"}]}}