FTP client pipe character allows root access
| ftp-pipe-vulnerability (605) |  High Risk |
Description:
The File Transfer Protocol (FTP) client can be tricked into executing arbitrary commands. Remote servers can name a file preceded by the pipe ("|") symbol, and the local FTP client executes that file as a shell script on the local system. It is possible that root access could be acquired using this vulnerability.
Consequences:
Gain Access
Remedy:
For IBM AIX 3.2:
Upgrade to the latest version of AIX (4.0 or later), as listed in IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:009.1. See References.
For IBM AIX 4.1:
Apply the APAR IX70885 patch, as listed in IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:009.1. See References.
For IBM AIX 4.2:
Apply the APAR IX 70886 patch, as listed in IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:009.1. See References.
For HP-UX 9.x:
Apply the PHNE_13595 patch, as listed in Hewlett-Packard Security Bulletin HPSBUX9807-079. See References.
For HP-UX 10.x:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Security Bulletin HPSBUX9807-079. See References.
For HP-UX 11.00:
Apply the PHNE_29460 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.
For HP-UX 11.04:
Apply the PHNE_31034 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.
For HP-UX 11.11:
Apply the B.11.11.01.003 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.
For HP-UX 11.22:
Apply the PHNE_29462 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.
SunOS and Solaris users should obtain and install patches for their system. Sun Microsystems has the following patches available at the SunSolve Web site (See References):
SunOS 5.6: 106522-01
SunOS 5.6 x86: 106523-01
SunOS 5.5.1: 103603-09
SunOS 5.5.1 x86: 103604-09
SunOS 5.5: 103577-09
SunOS 5.5 x86: 103578-09
SunOS 5.4: 101945-60
SunOS 5.4 x86: 101946-53
SunOS 5.3: 101653-02
SunOS 4.1.4: 104477-04
SunOS 4.1.3_U1: 104454-04
For Red Hat Linux running the Kerberos FTP client:
Upgrade to the latest krb5 packages, as listed below. Refer to RHSA-2003:020-09 for more information. See References.
Red Hat 6.2: 1.1.1-32 or later
Red Hat 7.0, 7.1, and 7.2: 1.2.2-16 or later
Red Hat 7.3: 1.2.4-4 or later
Red Hat 8.0: 1.2.5-8 or later
For Mandrake Linux:
Upgrade to the latest krb5 package as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:021 : krb5 for more information. See References.
Mandrake Linux 8.1, 8.2 and Multi Network Firewall 8.2: 1.2.2-17.4mdk.i586.rpm
Mandrake Linux 9.0: 1.2.5-1.3mdk or later
For Caldera UnixWare 7.1.1, Caldera UnixWare 7.1.3, and OpenUnix 8.0.0:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.3. See References.
For SGI IRIX:
Upgrade to the latest version of IRIX (6.5.20 or later), or apply the appropriate patch for your system, as listed in SGI Security Advisory 20030304-01-P. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- CIAC Information Bulletin I-012: IBM AIX ftp client Vulnerability.
- CIAC Information Bulletin N-036: Updated Kerberos Packages Fix Vulnerability in ftp Client.
- CIAC Information Bulletin O-158: FTP Client Improperly handles Pipe Character in File Names [REVISED 30 Jun 2004].
- CIAC Information Bulletin O-158: FTP Client Improperly handles Pipe Character in File Names.
- Hewlett-Packard Company Security Bulletin HPSBUX9807-079: Security Vulnerability with ftp on HP-UX. (From SecurityFocus archive.)
- IBM AIX Fix Distribution Service Web site: AIX Fix Distribution Service.
- SCO Security Advisory CSSA-2003-SCO.3: UnixWare 7.1.1 Open UNIX 8.0.0 UnixWare 7.1.3 : ftp vulnerability with pipe symbols in filenames.
- SGI Security Advisory 20030304-01-P: Multiple Vulnerabilities and Enhancements in ftpd.
- Sun Microsystems, Inc. Web site: SunSolve Online.
- VulnWatch Mailing List, Tue Jan 28 2003 - 08:32:28 CST : MIT Kerberos FTP client remote shell commands execution.
- BID-396: Multiple Vendor FTP pipe Vulnerability
- CVE-1999-0097: The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).
- CVE-2003-0041: Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.
- MDKSA-2003:021: Updated krb5 packages fix vulnerability in FTP client
- RHSA-2003-020: Updated kerberos packages fix vulnerability in ftp client
- RHSA-2003-021: krb5 security update
- RHSA-2003-168: Updated kerberos packages fix various vulnerabilities
- SA7979: RedHat updates to Kerberos FTP client
- US-CERT VU#258721: Various FTP clients fail to account for pipe (|) characters in default file names
Platforms Affected:
- HP HP-UX 10.00
- HP HP-UX 10.10
- HP HP-UX 10.16
- HP HP-UX 10.20
- HP HP-UX 10.24
- HP HP-UX 11
- HP HP-UX 11.00
- HP HP-UX 11.04
- HP HP-UX 11.11
- HP HP-UX 11.22
- HP HP-UX 9.00
- HP HP-UX 9.01
- HP HP-UX 9.03
- HP HP-UX 9.04
- HP HP-UX 9.05
- HP HP-UX 9.06
- HP HP-UX 9.07
- HP HP-UX 9.08
- HP HP-UX 9.09
- HP HP-UX 9.10
- IBM AIX 3.2
- IBM AIX 3.2.4
- IBM AIX 3.2.5
- IBM AIX 4.1
- IBM AIX 4.1.1
- IBM AIX 4.1.2
- IBM AIX 4.1.3
- IBM AIX 4.1.4
- IBM AIX 4.1.5
- IBM AIX 4.2
- IBM AIX 4.2.1
- MandrakeSoft Mandrake Linux 8.1 IA64
- MandrakeSoft Mandrake Linux 8.1
- MandrakeSoft Mandrake Linux 8.2 PPC
- MandrakeSoft Mandrake Linux 8.2
- MandrakeSoft Mandrake Linux 9.0
- MandrakeSoft Mandrake Multi Network Firewall 8.2
- MIT Kerberos FTP Client
- RedHat Enterprise Linux 2.1 AS
- RedHat Linux 6.2
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.1 for iSeries
- RedHat Linux 7.1 for pSeries
- RedHat Linux 7.2
- RedHat Linux 7.3
- RedHat Linux 8.0
- RedHat Linux Advanced Workstation 2.1 Itanium
- SCO Caldera OpenUnix 8.0.0
- SCO Caldera UnixWare 7.1.1
- SCO Caldera UnixWare 7.1.3
- SGI IRIX 6.0
- SGI IRIX 6.0.1
- SGI IRIX 6.1
- SGI IRIX 6.2
- SGI IRIX 6.3
- SGI IRIX 6.4
- SGI IRIX 6.5
- SGI IRIX 6.5.1
- SGI IRIX 6.5.10
- SGI IRIX 6.5.10f
- SGI IRIX 6.5.10m
- SGI IRIX 6.5.11
- SGI IRIX 6.5.11f
- SGI IRIX 6.5.11m
- SGI IRIX 6.5.12
- SGI IRIX 6.5.12f
- SGI IRIX 6.5.12m
- SGI IRIX 6.5.13
- SGI IRIX 6.5.13f
- SGI IRIX 6.5.13m
- SGI IRIX 6.5.14
- SGI IRIX 6.5.14f
- SGI IRIX 6.5.14m
- SGI IRIX 6.5.15
- SGI IRIX 6.5.15f
- SGI IRIX 6.5.15m
- SGI IRIX 6.5.16
- SGI IRIX 6.5.16f
- SGI IRIX 6.5.16m
- SGI IRIX 6.5.17
- SGI IRIX 6.5.17f
- SGI IRIX 6.5.17m
- SGI IRIX 6.5.18
- SGI IRIX 6.5.18f
- SGI IRIX 6.5.18m
- SGI IRIX 6.5.19
- SGI IRIX 6.5.19f
- SGI IRIX 6.5.19m
- SGI IRIX 6.5.2
- SGI IRIX 6.5.2f
- SGI IRIX 6.5.2m
- SGI IRIX 6.5.3
- SGI IRIX 6.5.3f
- SGI IRIX 6.5.3m
- SGI IRIX 6.5.4
- SGI IRIX 6.5.4f
- SGI IRIX 6.5.4m
- SGI IRIX 6.5.5
- SGI IRIX 6.5.5f
- SGI IRIX 6.5.5m
- SGI IRIX 6.5.6
- SGI IRIX 6.5.6f
- SGI IRIX 6.5.6m
- SGI IRIX 6.5.7
- SGI IRIX 6.5.7f
- SGI IRIX 6.5.7m
- SGI IRIX 6.5.8
- SGI IRIX 6.5.8f
- SGI IRIX 6.5.8m
- SGI IRIX 6.5.9
- SGI IRIX 6.5.9f
- SGI IRIX 6.5.9m
- Sun Solaris 1.0
- Sun Solaris 2.3
- Sun Solaris 2.4 x86
- Sun Solaris 2.5.1 PPC
- Sun Solaris 2.5.1
- Sun Solaris 2.5.1 x86
- Sun Solaris 2.6 x86
- Sun Solaris 2.6
- Sun SunOS 4.1.3c
- Sun SunOS 4.1.3u1
- Sun SunOS 4.1.4
Reported:
Oct 01, 1997
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net