Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: Fozzy [Hackademy Audit] (fozzy_at_dmpfrance.com)
Date: Tue Jan 28 2003 - 08:32:28 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi all,

    --[ Description ]--

    When retrieving a file on a remote server, if the filename begins with a
    pipe character, the MIT Kerberos ftp client program (and possibly others)
    will pass the filename as a command to the local shell in a system() call.
    The standard input is the content of the file.
    This should be an old known and fixed vulnerability on many ftp clients
    (published in 1997 on the Bugtraq mailing list). However it seems it has
    never been fixed in the MIT Kerberos utilities package.

    --[ Impact ]--

    Shell commands can be issued remotely on the machine of a user who is
    retrieving files with this FTP client program, from a compromised or
    malicious ftp server. This leads to compromise of the client machine.
    For instance, some scripts use the ftp client to automaticaly collect and
    archive files : the compromise of the server, or of any computer on the
    local network that can do Man In the Middle attacks, leads to compromise of
    any machine downloading the files using this ftp client.

    --[ Details]--

    mget .
    RETR "|touch testfile"
    RETR "|sh" with content of the file '|sh' being shell commands

    --[ Disclosure Policy ]--

    The Hackademy Audit team was surprised to find on December, 2002 that such
    a simple and old known vulnerability was still lying around in current
    software. So we thought that this issue might be a single distribution
    packaging problem... but on the other hand it could also affect other ftp
    clients, and could be present in many distribution and/or operating systems
    implementing Kerberos (for instance, on some default installs of the Linux
    Mandrake distribution, we found that the standard ftp client is a
    vulnerable MIT Kerberos ftp). A quick glance at the international MIT
    Kerberos source tree _seems_ to confirm that the problem is there.
    We decided then to stop investigating this issue and give our informations
    to the CERT, because they can make better investigation with different
    vendors and responsible disclosure than we can. On Friday 24th January,
    CERT published the Vulnerability Note VU#258721 about this issue, stating
    that the MIT Kerberos client is actually vulnerable, and flagging many
    vendors as having status "Unknown" or "Not vulnerable". No vendor have
    provided a patch at this time. Please understand that this is the CERT
    research and disclosure policy, not ours.
    This advisory is only posted by us to different mailing-lists as a public
    service, to attract attention of system administrators and vendors on the
    VU#258721 CERT vulnerability note, because nobody else did. If something is
    wrong, we are not the guys to blame ;-)
    Please refer to the CERT web site for accurate and up-to-date information.

    --[ Solution ]--

    Due to the disclosure policy (see above), no patches are available at this
    time. Anyway, consider this is a 1997 public vuln. And on a client program,
    not a server.
    [Note that the standard Linux Netkit ftp client was fixed years ago]

    -- Fozzy
    The Hackademy School, Journal & Audit


    ============ FULL DISCLOSURE GOING ILLEGAL IN FRANCE =======================
    Legal notice (should be obvious), because of a new french law - yet to be
    adopted - prohibiting among other things the disclosure of tools and data
    aimed as committing cyber crimes :
    "No warranty of any kind. Advisory published in an intent to help system
    administrators to apply patches and workarounds to secure their networks
    and systems. These data are not aimed to help anyone doing any illegal
    actions. Such unfair uses of these informations are forbidden."
    *** Please fight against this irresponsible law. In a few weeks, if you are
    french and a virus infects your computer, you will be outlaw. If you are
    curious and download nmap/nessus, but don't have any personal network to
    scan, you will be outlaw. But if you are a virus writer, this is "for
    research", so you will have no problem with this law. Wow, how good.***