Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client

Lutz Donnerhacke (lutz@TARANIS.IKS-JENA.DE)
Tue, 4 Nov 1997 08:20:05 GMT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Erwin J. van Eijk: "Re: MIT Kerberos V5 R1.0.2 is released"
Previous message: Yves Kreis: "simptcp hotfix renewed on 03/11/1997"
Maybe in reply to: ers@VNET.IBM.COM: "IBM-ERS Security Vulnerability Alert: The AIX ftp client"
Next in thread: Troy A. Bollinger: "Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client"

* af@C4C.COM wrote:
>It works on our Linux slackware as well.  I suspect most ftp
>clients are susceptible to this "problem."

Tested it with
NcFTP 2.4.2:
  No security problem, the file "|sh" does exists afterwards.
netkit-ftp-0.10:
  Problem occurs as described.
Navigator/Communicator:
  No security problem, the content of the file is displayed.

>I also wonder about IBM's answer:
>SOLUTION:         Remove the setuid bit from the "ftp" command.
>
>On our 4.2.1, ftp will not run if it is not suid.
>Didn't somebody test this?

Yep. ftp does not need suid:
-rwxr-xr-x   1 root     root  /bin/ftp*
-rwxr-xr-x   1 root     root  /usr/bin/ncftp*

DFN-CERT corrected the solution of IBM. It was a false statment according to
them.

Next message: Erwin J. van Eijk: "Re: MIT Kerberos V5 R1.0.2 is released"
Previous message: Yves Kreis: "simptcp hotfix renewed on 03/11/1997"
Maybe in reply to: ers@VNET.IBM.COM: "IBM-ERS Security Vulnerability Alert: The AIX ftp client"
Next in thread: Troy A. Bollinger: "Re: IBM-ERS Security Vulnerability Alert: The AIX ftp client"