Premature PASV command could cause some FTP servers to crash possibly compromising system passwords

Risk Level: Medium risk vulnerability  Medium

Check or Attack Name: ftppasvcore
Platforms: FTP, wu-ftpd
Description:

An FTP daemon allows a premature PASV command, which can cause some FTP daemons to crash with a core dump. FTP core dumps can be used to salvage encrypted passwords, bypassing any shadow password scheme.
Remedy:

Update your FTP server.

The latest version of wu-ftp is available from ftp://ftp.academ.com/pub/wu-ftpd/ or at http://ftp.academ.com/academ/wu-ftpd/release.html.
References:

Academ Consulting Services, WU-FTP Server Software Release Information, http://ftp.academ.com/academ/wu-ftpd/release.html

BUGTRAQ Mailing List, another two bugs in ftpd, http://www.netspace.org/cgi-bin/wa?A2=ind9610C&L=bugtraq&P=R472
X-Force Logo
Know Your Risks