-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Don Stikvoort                               Index  :    S-97-78
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : AIX ftp client vulnerability                Date   :  04-Nov-97
===============================================================================

By courtesy of IBM ERS we received information on an AIX ftp client
vulnerability in IBM AIX 3.2/4.1/4.2 which makes it possible to execute
arbitrary commands at the client machine from the ftp server machine.

CERT-NL recommends following below recommendations.

(Below IBM information is copyright protected:
Copyright 1997 International Business Machines Corporation.)

==============================================================================

                             VULNERABILITY  SUMMARY

VULNERABILITY:    The AIX ftp client interprets server provided filenames

PLATFORMS:        IBM AIX(r) 3.2, 4.1, 4.2

SOLUTION:         Remove the setuid bit from the "ftp" command.

THREAT:           Remote ftp servers can cause arbitrary commands to run on
                  the local machine.


                           DETAILED INFORMATION

I.  Description

The ftp client can be tricked into running arbitrary commands supplied by the
remote server.  When the remote file begins with a pipe symbol, the ftp client
will process the contents of the remote file as a shell script.

II.  Impact

Remote ftp servers can cause arbitrary commands to run on the local machine.
This can include remote root access.

III.  Solutions

  AIX 3.2
  -------
    There are no fixes available for AIX 3.2.  It is suggested that customers
    upgrade to a higher level.

  AIX 4.1
  -------
    Apply the following fix to your system:

        APAR - IX70885

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX70885

    Or run the following command:

       lslpp -h bos.net.tcp.client

    Your version of bos.net.tcp.client should be 4.1.5.13 or later.

  AIX 4.2
  -------
    Apply the following fix to your system:

        APAR - IX70886

    To determine if you have this APAR on your system, run the following
    command:

       instfix -ik IX70886

    Or run the following command:

       lslpp -h bos.net.tcp.client

    Your version of bos.net.tcp.client should be 4.2.1.10 or later.

IV.  Contact Information

To request the PGP public key that can be used to encrypt new AIX security
vulnerabilities, send email to security-alert@austin.ibm.com with a subject
of "get key".

If you would like to subscribe to the AIX security newsletter, send a note to
aixserv@austin.ibm.com with a subject of "subscribe Security".  To cancel your
subscription, use a subject of "unsubscribe Security".  To see a list of other
available subscriptions, use a subject of "help".

IBM and AIX are a registered trademark of International Business Machines
Corporation.  All other trademarks are property of their respective holders.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 52 87 92 82      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.

==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAwUBNF54pEU5nQkWIq1FAQFKyQQAxKXT/zev0Q5M6xHkojQPzpxh1RwS+d3n
ZjmnGmU6a2z0XEAwcLlbVhFCPZJhlfw9MsT/VT8bBeAHmXR2xGRE0Y/4Z4+RCLo7
BRz8nrnOMN0cGXC+cqYIfMorPfOr6p9nnVhVRwMA0uShqfZETDraHEwYfVqQZJ5r
wNou711vDM0=
=Dhda
-----END PGP SIGNATURE-----