Aftpd core dump vulnerability

[Nu Omega Tau <nu_omega_tau () altavista com>]

Ok, first I'd like to say that after hours of research, I still have no idea who really wrote aftpd nor if it has an 
official homepage. There is one aftpd site I could find but it was talking about an ftpd that only allows anonymous 
logins, this also allows normal ones. I still think this vulnerability is worth mentioning as at least one large US 
hosting provider was affected by this bug. When connecting to it, the ftp daemon identifies itself as:

220 example.com ftp server (Version 5.4.4) ready.

The machines I saw it running on were all FreeBSD 4.2 but I've confirmed this is not a standard FreeBSD daemon.

The vulnerability is the following: when any user (including an anonymous one) executes the following command on the 
ftp server: cd ~ (yes it's that simple) aftpd dumps core in the current directory. The aftpd.core file can be 
downloaded but wouldn't contain a lot of valuable information. But, if a user would try to login first with another 
username and the wrong password, the daemon reads the entire passwordfile into it's memory. When a user afterwards logs 
in with anonymous the cd ~ trick can be used to dump the core with the encrypted passwords in it. These can be cracked 
with your favourite password cracker.

Al known users were notified. (1 user, >10000 hosts)

Vendor was not notified, my apologies for this, I just have no idea who he is.

If anyone has some more information about this daemon or knows the vendor please contact me so appropiate steps can be 
taken.

Nu Omega Tau

--------------------
Favourite pickup line: Hey baby, wanna synchronize sequence numbers?
Warning: not always effective
--------------------

Find the best deals on the web at AltaVista Shopping!
http://www.shopping.altavista.com