-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen                                Index  :    S-98-47
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Vulnerability with ftp on HP-UX             Date   :  24-Jul-98
===============================================================================

By courtesy of Hewlett-Packard we received information on
a vulnerability in ftp.

==============================================================================

 -------------------------------------------------------------------------
        HEWLETT-PACKARD SECURITY BULLETIN: #00079  23 July 1998
 -------------------------------------------------------------------------

The information in the following Security Bulletin should be acted upon
as soon as possible.  Hewlett-Packard will not be liable for any
consequences to any customer resulting from customer's failure to fully
implement instructions in this Security Bulletin as soon as possible.

 -------------------------------------------------------------------------
PROBLEM: ftp client interprets server provided filenames which can
         cause commands to be run on the client.

PLATFORM: HP9000 series 700/800, HP-UX releases 9.X, 10.X, and 11.00

DAMAGE:   Local users can increase their privileges

SOLUTION: Install the patches listed below.

AVAILABILITY: All patches are available now, except as noted.

 -------------------------------------------------------------------------
I.
   A. Background

   The ftp client can be tricked into running arbitrary commands
   supplied by the remote server.

   B. Fixing the problem

   Install the applicable patches for the fileset: ARPA-RUN ARPA-MAN
         HP-UX release   9.X                 PHNE_13595

   Install the applicable patches for the fileset:
   InternetSrvcs.INETSVCS-RUN or InternetSrvcs.INET-ENG-A-MAN.

         HP-UX release   10.0,10.01,10.10    PHNE_13596
         HP-UX release   10.16               PHNE_16006 *
         HP-UX release   10.20               PHNE_13597
         HP-UX release   10.24               PHNE_15802
         HP-UX release   11.00               PHNE_14479

   The CMW release (HP-UX 10.16) will be available after 10 August 98.

   Install the applicable patches for the fileset:
   InternetSvcSec.INETSVCS-SEC or InternetSvcSec.ISEC-ENG-A-MAN,
   (Secure Internet Services),
         HP-UX release   10.20               PHNE_15544


   C. Recommended solution - Install the applicable patches.
      NOTE: The Secure Internet Services product, if enabled, has to
            be disabled before the installation and removal of
            patch PHNE_15544 for HP-UX 10.20.
            If Secure Internet Services is enabled during patch
            installation, the installation will fail with an error.
      NOTE: On the HP-UX 11.00 release patch only:
            This version of FTP has some new configuration files that
            can be used to take advantage of new functionality. Sample
            of the new configuration files are provided in
            /usr/newconfig/etc/ftpd.
            These files can be altered per your needs and copied
            to the location /etc/ftpd.  Information on these new
            features introduced by this new version of ftpd are in
            the file:
                  /usr/share/doc/RelNotes_newftp.txt

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is
the Dutch network for educational, research and related institutes. CERT-NL is a
member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 52 87 92 82      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.

==============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>

iQCVAwUBNbgr4FpSTqmIRWKVAQFDVwP9Ewu5TkNVWSPxNdBoUcY+3c+BqXYIDUZs
TzfPins9UHIeOLBdBocjI+RBdqXGpStcF8V1OSpEGxO0OJC04mVzVc8cRciE5U7f
k7AnTBYsALQ2ugXm97SolMsYq74VmWT8WW5qNaXPfu/yO1ypxeO+VkIJOofzkeuv
cvr/TiCTwWY=
=XojV
-----END PGP SIGNATURE-----