FTP client pipe character allows root access

ftp-pipe-vulnerability (605)

High Risk

Description:

The File Transfer Protocol (FTP) client can be tricked into executing arbitrary commands. Remote servers can name a file preceded by the pipe ("|") symbol, and the local FTP client executes that file as a shell script on the local system. It is possible that root access could be acquired using this vulnerability.

Platforms Affected:

• HP, HP-UX 10.00
• HP, HP-UX 10.10
• HP, HP-UX 10.16
• HP, HP-UX 10.20
• HP, HP-UX 10.24
• HP, HP-UX 11
• HP, HP-UX 11.00
• HP, HP-UX 11.04
• HP, HP-UX 11.11
• HP, HP-UX 11.22
• HP, HP-UX 9.00
• HP, HP-UX 9.01
• HP, HP-UX 9.03
• HP, HP-UX 9.04
• HP, HP-UX 9.05
• HP, HP-UX 9.06
• HP, HP-UX 9.07
• HP, HP-UX 9.08
• HP, HP-UX 9.09
• HP, HP-UX 9.10
• IBM, AIX 3.2
• IBM, AIX 3.2.4
• IBM, AIX 3.2.5
• IBM, AIX 4.1
• IBM, AIX 4.1.1
• IBM, AIX 4.1.2
• IBM, AIX 4.1.3
• IBM, AIX 4.1.4
• IBM, AIX 4.1.5
• IBM, AIX 4.2
• IBM, AIX 4.2.1
• MandrakeSoft, Mandrake Linux 8.1
• MandrakeSoft, Mandrake Linux 8.1 IA64
• MandrakeSoft, Mandrake Linux 8.2
• MandrakeSoft, Mandrake Linux 8.2 PPC
• MandrakeSoft, Mandrake Linux 9.0
• MandrakeSoft, Mandrake Multi Network Firewall 8.2
• MIT, Kerberos FTP Client
• RedHat, Enterprise Linux 2.1 AS
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.1 for iSeries
• RedHat, Linux 7.1 for pSeries
• RedHat, Linux 7.2
• RedHat, Linux 7.3
• RedHat, Linux 8.0
• RedHat, Linux Advanced Workstation 2.1 Itanium
• SCO, Caldera OpenUnix 8.0.0
• SCO, Caldera UnixWare 7.1.1
• SCO, Caldera UnixWare 7.1.3
• SGI, IRIX 6.0
• SGI, IRIX 6.0.1
• SGI, IRIX 6.1
• SGI, IRIX 6.2
• SGI, IRIX 6.3
• SGI, IRIX 6.4
• SGI, IRIX 6.5
• SGI, IRIX 6.5.1
• SGI, IRIX 6.5.10
• SGI, IRIX 6.5.10f
• SGI, IRIX 6.5.10m
• SGI, IRIX 6.5.11
• SGI, IRIX 6.5.11f
• SGI, IRIX 6.5.11m
• SGI, IRIX 6.5.12
• SGI, IRIX 6.5.12f
• SGI, IRIX 6.5.12m
• SGI, IRIX 6.5.13
• SGI, IRIX 6.5.13f
• SGI, IRIX 6.5.13m
• SGI, IRIX 6.5.14
• SGI, IRIX 6.5.14f
• SGI, IRIX 6.5.14m
• SGI, IRIX 6.5.15
• SGI, IRIX 6.5.15f
• SGI, IRIX 6.5.15m
• SGI, IRIX 6.5.16
• SGI, IRIX 6.5.16f
• SGI, IRIX 6.5.16m
• SGI, IRIX 6.5.17
• SGI, IRIX 6.5.17f
• SGI, IRIX 6.5.17m
• SGI, IRIX 6.5.18
• SGI, IRIX 6.5.18f
• SGI, IRIX 6.5.18m
• SGI, IRIX 6.5.19
• SGI, IRIX 6.5.19f
• SGI, IRIX 6.5.19m
• SGI, IRIX 6.5.2
• SGI, IRIX 6.5.2f
• SGI, IRIX 6.5.2m
• SGI, IRIX 6.5.3
• SGI, IRIX 6.5.3f
• SGI, IRIX 6.5.3m
• SGI, IRIX 6.5.4
• SGI, IRIX 6.5.4f
• SGI, IRIX 6.5.4m
• SGI, IRIX 6.5.5
• SGI, IRIX 6.5.5f
• SGI, IRIX 6.5.5m
• SGI, IRIX 6.5.6
• SGI, IRIX 6.5.6f
• SGI, IRIX 6.5.6m
• SGI, IRIX 6.5.7
• SGI, IRIX 6.5.7f
• SGI, IRIX 6.5.7m
• SGI, IRIX 6.5.8
• SGI, IRIX 6.5.8f
• SGI, IRIX 6.5.8m
• SGI, IRIX 6.5.9
• SGI, IRIX 6.5.9f
• SGI, IRIX 6.5.9m
• Sun, Solaris 1.0
• Sun, Solaris 2.3
• Sun, Solaris 2.4 x86
• Sun, Solaris 2.5.1 x86
• Sun, Solaris 2.5.1 PPC
• Sun, Solaris 2.5.1
• Sun, Solaris 2.6 x86
• Sun, Solaris 2.6
• Sun, SunOS 4.1.3c
• Sun, SunOS 4.1.3u1
• Sun, SunOS 4.1.4

Remedy:

For IBM AIX 3.2:
Upgrade to the latest version of AIX (4.0 or later), as listed in IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:009.1. See References.

For IBM AIX 4.1:
Apply the APAR IX70885 patch, as listed in IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:009.1. See References.

For IBM AIX 4.2:
Apply the APAR IX 70886 patch, as listed in IBM Emergency Response Service Security Vulnerability Alert ERS-SVA-E01-1997:009.1. See References.

For HP-UX 9.x:
Apply the PHNE_13595 patch, as listed in Hewlett-Packard Security Bulletin HPSBUX9807-079. See References.

For HP-UX 10.x:
Apply the appropriate patch for your system, as listed in Hewlett-Packard Security Bulletin HPSBUX9807-079. See References.

For HP-UX 11.00:
Apply the PHNE_29460 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.

For HP-UX 11.04:
Apply the PHNE_31034 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.

For HP-UX 11.11:
Apply the B.11.11.01.003 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.

For HP-UX 11.22:
Apply the PHNE_29462 or later patch, as listed in Hewlett-Packard Security Bulletin HPSBUX01050 REVISION: 1. See References.

SunOS and Solaris users should obtain and install patches for their system. Sun Microsystems has the following patches available at the SunSolve Web site (See References):
SunOS 5.6: 106522-01
SunOS 5.6 x86: 106523-01
SunOS 5.5.1: 103603-09
SunOS 5.5.1 x86: 103604-09
SunOS 5.5: 103577-09
SunOS 5.5 x86: 103578-09
SunOS 5.4: 101945-60
SunOS 5.4 x86: 101946-53
SunOS 5.3: 101653-02
SunOS 4.1.4: 104477-04
SunOS 4.1.3_U1: 104454-04

For Red Hat Linux running the Kerberos FTP client:
Upgrade to the latest krb5 packages, as listed below. Refer to RHSA-2003:020-09 for more information. See References.

Red Hat 6.2: 1.1.1-32 or later
Red Hat 7.0, 7.1, and 7.2: 1.2.2-16 or later
Red Hat 7.3: 1.2.4-4 or later
Red Hat 8.0: 1.2.5-8 or later

For Mandrake Linux:
Upgrade to the latest krb5 package as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2003:021 : krb5 for more information. See References.

Mandrake Linux 8.1, 8.2 and Multi Network Firewall 8.2: 1.2.2-17.4mdk.i586.rpm
Mandrake Linux 9.0: 1.2.5-1.3mdk or later

For Caldera UnixWare 7.1.1, Caldera UnixWare 7.1.3, and OpenUnix 8.0.0:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory CSSA-2003-SCO.3. See References.

For SGI IRIX:
Upgrade to the latest version of IRIX (6.5.20 or later), or apply the appropriate patch for your system, as listed in SGI Security Advisory 20030304-01-P. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

• CIAC Information Bulletin I-012, IBM AIX ftp client Vulnerability at http://www.ciac.org/ciac/bulletins/i-012.shtml.
• CIAC Information Bulletin N-036, Updated Kerberos Packages Fix Vulnerability in ftp Client at http://www.ciac.org/ciac/bulletins/n-036.shtml.
• CIAC Information Bulletin O-158, FTP Client Improperly handles Pipe Character in File Names [REVISED 30 Jun 2004] at http://www.ciac.org/ciac/bulletins/o-158.shtml.
• CIAC Information Bulletin O-158, FTP Client Improperly handles Pipe Character in File Names at http://www.ciac.org/ciac/bulletins/o-158.shtml.
• Hewlett-Packard Company Security Bulletin HPSBUX9807-079, Security Vulnerability with ftp on HP-UX at http://online.securityfocus.com/advisories/1479. (From SecurityFocus archive.)
• IBM AIX Fix Distribution Service Web site, AIX Fix Distribution Service at http://www-03.ibm.com/servers/eserver/support/unixservers/aixfixes.html.
• SCO Security Advisory CSSA-2003-SCO.3, UnixWare 7.1.1 Open UNIX 8.0.0 UnixWare 7.1.3 : ftp vulnerability with pipe symbols in filenames at ftp://ftp.sco.com/pub/updates/UnixWare/CSSA-2003-SCO.3.
• SGI Security Advisory 20030304-01-P, Multiple Vulnerabilities and Enhancements in ftpd at ftp://patches.sgi.com/support/free/security/advisories/20030304-01-P.
• Sun Microsystems, Inc. Web site, SunSolve Online at http://sunsolve.sun.com/.
• VulnWatch Mailing List, Tue Jan 28 2003 - 08:32:28 CST , MIT Kerberos FTP client remote shell commands execution at http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0047.html.
• BID-396: Multiple Vendor FTP pipe Vulnerability
• CVE-1999-0097: The AIX FTP client can be forced to execute commands from a malicious server through shell metacharacters (e.g. a pipe character).
• CVE-2003-0041: Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client.
• MDKSA-2003:021: Updated krb5 packages fix vulnerability in FTP client
• RHSA-2003-020: Updated kerberos packages fix vulnerability in ftp client
• RHSA-2003-021: krb5 security update
• RHSA-2003-168: Updated kerberos packages fix various vulnerabilities
• SA7979: RedHat updates to Kerberos FTP client
• US-CERT VU#258721: Various FTP clients fail to account for pipe (|) characters in default file names

Reported:

Oct 01, 1997

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page