WU-FTPD core dump vulnerability (the old patch doesn't work)

Summary

Description:	A common problem with many OS's is that you can cause ftpd (or other network services) to crash and find remnants of the shadowed password file in the resultant corefile. wu-ftpd was patched, but is apparently still broken.
Author:	Vadim Kolontsov <vadim@tversu.ac.ru>
Compromise:	read crypt(8)ed passwords, which could lead to root (local)
Vulnerable Systems:	Systems running wu-ftpd v2.1, 2.2, 3.0, possibly others.
Date:	13 April 1997

Details

Exploit:

Date: Sun, 13 Apr 1997 11:34:46 +0400
From: Vadim Kolontsov 
Reply-To: best-of-security@suburbia.net
To: best-of-security@suburbia.net
Subject: BoS:  ftpd bug (yes, again..)
Resent-Date: Sun, 13 Apr 1997 19:27:50 +1000 (EST)
Resent-From: best-of-security@suburbia.net

Hello,

  do you remeber a bug with "argc > 100" in ftpd_popen(), when users was
able to kill your ftpd to produce core dump with shadow password? Ok, this 
bug
(which was reported when 2.1 was the latest release) still presents
in 2.2 & 3.0
  Yes, ftpd was patched, but incompletely. It seems that this patches was 
never tested (although I didn't check a patch against "kill -11" yet)

  Here is an additional patch for 3.0's ftpd

============================== cut here ================================
*** popen.c.old Sun Apr 13 11:22:59 1997
--- popen.c     Sun Apr 13 11:23:16 1997
***************
*** 95,101 ****

        /* glob each piece */
        gargv[0] = argv[0];
!       for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) 
{
                glob_t gl;
                int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;

--- 95,101 ----

        /* glob each piece */
        gargv[0] = argv[0];
!       for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1) && argc 
< MAXUSRARGS; argc++) {
                glob_t gl;
                int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_QUOTE|GLOB_TILDE;
============================== cut here ================================

  See the source code to understand why previous patch was incomplete -
it's easy...
  BTW, wu-ftpd latest beta (13) still can be killed in this way... although
wu-ftpd's maintainer was informed by me about 3 monthes ago.

With best regards, Vadim.

P.S. to test ftpd, do the following:

telnet your.host 21
user ftp (or your userid, if you have no anonymous ftp)
pass ftp@ (or your password)
list x x x x x x x x x x x ... (around 3 lines will be enough ;)

Bugged ftpdwill die here - "Connection closed by foreigh host".
Now look for core dump, extract password, start your Crack :)
--------------------------------------------------------------------------
Vadim Kolontsov                                          SysAdm/Programmer 
Tver Regional Center of New Information Technologies          Networks Lab

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: