Codetalker Communications, Inc. - The AIX ftp client interprets server provided filenames

-----BEGIN PGP SIGNED MESSAGE-----

October 29 1997

===============================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:    The AIX ftp client interprets server provided filenames

PLATFORMS:        IBM AIX(r) 3.2, 4.1, 4.2

SOLUTION:         Remove the setuid bit from the "ftp" command.

THREAT:           Remote ftp servers can cause arbitrary commands to run on
                  the local machine.

===============================================================================
                           DETAILED INFORMATION

I.  Description

The ftp client can be tricked into running arbitrary commands supplied by the
remote server.  When the remote file begins with a pipe symbol, the ftp client
will process the contents of the remote file as a shell script.

II.  Impact

Remote ftp servers can cause arbitrary commands to run on the local machine.
This can include remote root access.

III.  Solutions

  AIX 3.2
  -------
    There are no fixes available for AIX 3.2.  It is suggested that customers
    upgrade to a higher level.

  AIX 4.1
  -------
    Apply the following fix to your system:

        APAR - IX70885

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX70885

    Or run the following command:

       lslpp -h bos.net.tcp.client

    Your version of bos.net.tcp.client should be 4.1.5.13 or later.

  AIX 4.2
  -------
    Apply the following fix to your system:

        APAR - IX70886

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX70886

    Or run the following command:

       lslpp -h bos.net.tcp.client

    Your version of bos.net.tcp.client should be 4.2.1.10 or later.

IV.  Contact Information

To request the PGP public key that can be used to encrypt new AIX security
vulnerabilities, send email to security-alert@austin.ibm.com with a subject
of "get key".

If you would like to subscribe to the AIX security newsletter, send a note to
aixserv@austin.ibm.com with a subject of "subscribe Security".  To cancel your
subscription, use a subject of "unsubscribe Security".  To see a list of other
available subscriptions, use a subject of "help".

IBM and AIX are a registered trademark of International Business Machines
Corporation.  All other trademarks are property of their respective holders.

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBNFeOWvWDLGpfj4rlAQFBtgQAwXFvM3TUyLUe4OljSyiPjbUZwFvygHdj
+QK/pPX0W89hNPzVPARf3KxXwzS3IjhXMSq4VOhGCco3ftqSKkBNzXSNoh4uY+e4
dYQVRhQ0zAOZLaWrIR3MT2kUxIbTXLhzFimCRCJgEesxUlpZ5p9rcaKctRPIYh7W
M/c621Lb0TU=
=d/G3
-----END PGP SIGNATURE-----