[UNIX] MIT Kerberos FTP Client Remote Shell Commands Execution

From: support@securiteam.com
Date: 01/29/03

  • Next message: support@securiteam.com: "[EXPL] Outlook Remote Code Execution in Preview Pane (S/MIME, PoC)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 29 Jan 2003 10:52:35 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      MIT Kerberos FTP Client Remote Shell Commands Execution
    ------------------------------------------------------------------------

    SUMMARY

    When retrieving a file on a remote server, if the filename begins with a
    pipe character, the MIT Kerberos ftp client program (and possibly others)
    will pass the filename as a command to the local shell in a system() call.
    The standard input is the content of the file.

    This should be an old known and fixed vulnerability on many FTP clients
    (published in 1997). However, it seems it has never been fixed in the MIT
    Kerberos utilities package.

    DETAILS

    Impact:
    Shell commands can be issued remotely on the machine of a user who is
    retrieving files with this FTP client program, from a compromised or
    malicious FTP server. This leads to compromise of the client machine. For
    instance, some scripts use the FTP client to automatically collect and
    archive files: the compromise of the server or of any computer on the
    local network that can do Man in the Middle attacks, leads to compromise
    of any machine downloading the files using this FTP client.

    Details:
    mget .
    ->
    (...)
    RETR "|touch testfile"
    RETR "|sh" with content of the file '|sh' being shell commands

    Solution:
    Due to the disclosure policy (see above), no patches are available at this
    time. Anyway, consider this is a 1997 public vulnerability. In addition,
    on a client program, not a server [Note that the standard Linux Netkit FTP
    client was fixed years ago].

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:fozzy@dmpfrance.com> Fozzy
    [Hackademy Audit].

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages