Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: wuftp exploit

From: drow () FALSE ORG (Daniel Jacobowitz)
Date: Wed, 28 Jun 2000 17:07:09 -0700

On Wed, Jun 28, 2000 at 11:47:38AM -0700, Toby Miller wrote:

All,
I have been doing some analysis on the WUFTP exploit, hopefully this will help.

Here is a tcpdump of the expoit running on my lab:


<snip>

1) This exploit can be ran against the following OS's:

a) Redhat 6.2

b) SuSe 6.3 & 6.4

c) FreeBsd 3.4 & 4.0


And anything else that runs Wu, yes.  It just needs simple changes.


2) The ID's(highlighted in green) increment by 1. I ran this exploit
5 times and all five times the ID's incremented by one throughout out
the attempt.


That's just a symptom of low network traffic and a lousy random number
generator.


3) The two packets with the Psh flag set always contains ten bytes of
data. The hex data looks like this: 5553 4552 2066 7470 0d0a


Yes, congratulations.  That expands to:
USER ftp\r\n

You just logged all anonymous ftp connections.  There are easier ways.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan () debian org         |  |       dmj+ () andrew cmu edu      |
\--------------------------------/  \--------------------------------/
Previous By Date Next
Previous By Thread Next

Current thread: