Bugtraq mailing list archives

Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client

From: lutz () TARANIS IKS-JENA DE (Lutz Donnerhacke)
Date: Tue, 4 Nov 1997 08:20:05 GMT


* af () C4C COM wrote:

It works on our Linux slackware as well.  I suspect most ftp
clients are susceptible to this "problem."


Tested it with
NcFTP 2.4.2:
  No security problem, the file "|sh" does exists afterwards.
netkit-ftp-0.10:
  Problem occurs as described.
Navigator/Communicator:
  No security problem, the content of the file is displayed.

I also wonder about IBM's answer:
SOLUTION:         Remove the setuid bit from the "ftp" command.

On our 4.2.1, ftp will not run if it is not suid.
Didn't somebody test this?


Yep. ftp does not need suid:
-rwxr-xr-x   1 root     root  /bin/ftp*
-rwxr-xr-x   1 root     root  /usr/bin/ncftp*

DFN-CERT corrected the solution of IBM. It was a false statment according to
them.

Current thread:

Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client af () C4C COM (Nov 03)
- <Possible follow-ups>
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Lutz Donnerhacke (Nov 04)
  - netapp NFS server crash by FreeBSD client [w/patch] Dmitry Kohmanyuk Дмитрий Кохманюк (Nov 05)
  - simptcp hotfix renewed on 03/11/1997 Yves Kreis (Nov 05)
  - Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Wolfgang Ley (Nov 06)
  - HPSBUX9710-072 Sec. Vulnerability in CDE on HP-UX 10.[10, 20, Aleph One (Nov 06)
  - Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Troy A. Bollinger (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Giulio E. D. Botto (Nov 04)