[5487] in bugtraq
Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client
daemon@ATHENA.MIT.EDU (Lutz Donnerhacke)
Thu Nov 6 16:02:19 1997
Date: Tue, 4 Nov 1997 08:20:05 GMT
Reply-To: Lutz Donnerhacke <lutz@TARANIS.IKS-JENA.DE>
From: Lutz Donnerhacke <lutz@TARANIS.IKS-JENA.DE>
To: BUGTRAQ@NETSPACE.ORG
* af@C4C.COM wrote:
>It works on our Linux slackware as well. I suspect most ftp
>clients are susceptible to this "problem."
Tested it with
NcFTP 2.4.2:
No security problem, the file "|sh" does exists afterwards.
netkit-ftp-0.10:
Problem occurs as described.
Navigator/Communicator:
No security problem, the content of the file is displayed.
>I also wonder about IBM's answer:
>SOLUTION: Remove the setuid bit from the "ftp" command.
>
>On our 4.2.1, ftp will not run if it is not suid.
>Didn't somebody test this?
Yep. ftp does not need suid:
-rwxr-xr-x 1 root root /bin/ftp*
-rwxr-xr-x 1 root root /usr/bin/ncftp*
DFN-CERT corrected the solution of IBM. It was a false statment according to
them.
