[28176] in bugtraq
Re: Directory Traversal Vulnerabilities in FTP Clients
daemon@ATHENA.MIT.EDU (Stephen Samuel)
Thu Dec 12 15:54:41 2002
Message-ID: <3DF8B605.9070505@bcgreen.com>
Date: Thu, 12 Dec 2002 08:15:01 -0800
From: Stephen Samuel <samuel@bcgreen.com>
MIME-Version: 1.0
To: "Steven M. Christey" <coley@linus.mitre.org>
In-Reply-To: <200212110021.TAA26544@linus.mitre.org>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
I have a bone to pick with Sun's classification of the FTP traversal
vulnerability as 'not a bug'
Most notably:
> The Solaris ftp mget behaviour is consistent with other BSD derived
> ftp clients, for example on Linux and FreeBSD. Changing the
> existing behaviour will cause problems.
I will simply classify this comment as "the lemming response": 'Everybosy
else has this bug, so we'll leave it that way'.
First of all, it would appear that Linux (Red-Hat) and (open)BSD
developers are responding to this issue as a bug and appear to be
developing/distributing solutions. Secondly, these directory traversal
activities are in response to clearly non-standard responses from
a server. I can't think of any case where a legitimate FTP server
would respond with those file names and expect that the files would
be installed in such a location.
I don't see how breaking an obvious exploit that has few (if any)
legitimate uses would 'cause problems'. If Sun wants to enable the few
cases where a user actualy *wanted* to enable directory traversal, it
would be easy enough to code in a runtime flag.
This issue is also not only a systems vulnerability. An attacker could,
for example, craft an exploit aimed at a specific user, resulting in
the replacement/destruction of a document with legal/political
significance. It could also result in the destruction/modification of
system-significant files associated with an account used to do automated
downloads.
The runique and interactive workarounds are only useful for interactive
(not script or batch) downloads, and/or where existing files are not
usually expected to be replaced in the normal course of actions.
In short, I'm very disappointed by Sun's unwillingness to address this
exploit as the bug that it clearly is -- insecure actions in the face
of entirely non-standard input.
--
Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
