[UNIX] MIT Kerberos FTP Client Remote Shell Commands Execution
From: support@securiteam.com
Date: 01/29/03
- Previous message: support@securiteam.com: "[EXPL] MSSQL2000 Remote UDP Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 29 Jan 2003 10:52:35 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -
MIT Kerberos FTP Client Remote Shell Commands Execution
------------------------------------------------------------------------
SUMMARY
When retrieving a file on a remote server, if the filename begins with a
pipe character, the MIT Kerberos ftp client program (and possibly others)
will pass the filename as a command to the local shell in a system() call.
The standard input is the content of the file.
This should be an old known and fixed vulnerability on many FTP clients
(published in 1997). However, it seems it has never been fixed in the MIT
Kerberos utilities package.
DETAILS
Impact:
Shell commands can be issued remotely on the machine of a user who is
retrieving files with this FTP client program, from a compromised or
malicious FTP server. This leads to compromise of the client machine. For
instance, some scripts use the FTP client to automatically collect and
archive files: the compromise of the server or of any computer on the
local network that can do Man in the Middle attacks, leads to compromise
of any machine downloading the files using this FTP client.
Details:
mget .
->
(...)
RETR "|touch testfile"
RETR "|sh" with content of the file '|sh' being shell commands
Solution:
Due to the disclosure policy (see above), no patches are available at this
time. Anyway, consider this is a 1997 public vulnerability. In addition,
on a client program, not a server [Note that the standard Linux Netkit FTP
client was fixed years ago].
ADDITIONAL INFORMATION
The information has been provided by <mailto:fozzy@dmpfrance.com> Fozzy
[Hackademy Audit].
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Next message: support@securiteam.com: "[EXPL] Outlook Remote Code Execution in Preview Pane (S/MIME, PoC)"
- Previous message: support@securiteam.com: "[EXPL] MSSQL2000 Remote UDP Exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
