Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   Kerberos FTP Client Vendors:   MIT
Kerberos and Other FTP Clients Allow Malicious FTP Servers to Execute Arbitrary Code on the Client
SecurityTracker Alert ID:  1006006
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 29 2003
Impact:   Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): Kerberos 5, 1.2.7 and prior versions
Description:   An input validation vulnerability was reported in the MIT Kerberos FTP client and possibly other FTP clients. A remote user (malicious FTP server) can cause arbitrary shell commands to be executed on the client.

According to the report, this type of vulnerability was originally reported in 1997, but is still present in the current release of the Kerberos FTP client and possibly FTP client software from other vendors.

The Hackademy Audit team reported that if the remote filename begins with a pipe character '|', the client will pass the remote filename as a command via a system() call when the file is retrieved from the server by the client. This could cause arbitrary shell commands contained in the filename or in the file contents may be executed by the client with the privileges of the user of the FTP client.

A demonstration exploit transcript is provided:

mget .
RETR "|touch testfile"
RETR "|sh" with content of the file '|sh' being shell commands

According to CERT, the vendor is working on a fix.

Impact:   A remote user (acting as an FTP server) can execute arbitrary shell commands on the target client system when the target client retrieves a malicious file from the server. The commands will run with the privileges of the target FTP client user.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.

 Source Message Contents

Subject:  [VulnWatch] MIT Kerberos FTP client remote shell commands execution

Content-Type: text/plain; charset="us-ascii"; format=flowed

Hi all,

--[ Description ]--

When retrieving a file on a remote server, if the filename begins with a 
pipe character, the MIT Kerberos ftp client program (and possibly others) 
will pass the filename as a command to the local shell in a system() call. 
The standard input is the content of the file.
This should be an old known and fixed vulnerability on many ftp clients 
(published in 1997 on the Bugtraq mailing list). However it seems it has 
never been fixed in the MIT Kerberos utilities package.

--[ Impact ]--

Shell commands can be issued remotely on the machine of a user who is 
retrieving files with this FTP client program, from a compromised or 
malicious ftp server. This leads to compromise of the client machine.
For instance, some scripts use the ftp client to automaticaly collect and 
archive files : the compromise of the server, or of any computer on the 
local network that can do Man In the Middle attacks, leads to compromise of 
any machine downloading the files using this ftp client.

--[ Details]--

mget .
RETR "|touch testfile"
RETR "|sh" with content of the file '|sh' being shell commands

--[ Disclosure Policy ]--

The Hackademy Audit team was surprised to find on December, 2002 that such 
a simple and old known vulnerability was still lying around in current 
software. So we thought that this issue might be a single distribution 
packaging problem... but on the other hand it could also affect other ftp 
clients, and could be present in many distribution and/or operating systems 
implementing Kerberos (for instance, on some default installs of the Linux 
Mandrake distribution, we found that the standard ftp client is a 
vulnerable MIT Kerberos ftp). A quick glance at the international MIT 
Kerberos source tree _seems_ to confirm that the problem is there.
We decided then to stop investigating this issue and give our informations 
to the CERT, because they can make better investigation with different 
vendors and responsible disclosure than we can. On Friday 24th January, 
CERT published the Vulnerability Note VU#258721 about this issue, stating 
that the MIT Kerberos client is actually vulnerable, and flagging many 
vendors as having status "Unknown" or "Not vulnerable". No vendor have 
provided a patch at this time. Please understand that this is the CERT 
research and disclosure policy, not ours.
This advisory is only posted by us to different mailing-lists as a public 
service, to attract attention of system administrators and vendors on the 
VU#258721 CERT vulnerability note, because nobody else did. If something is 
wrong, we are not the guys to blame ;-)
Please refer to the CERT web site for accurate and up-to-date information.

--[ Solution ]--

Due to the disclosure policy (see above), no patches are available at this 
time. Anyway, consider this is a 1997 public vuln. And on a client program, 
not a server.
[Note that the standard Linux Netkit ftp client was fixed years ago]

-- Fozzy
The Hackademy School, Journal & Audit

============ FULL DISCLOSURE GOING ILLEGAL IN FRANCE =======================
Legal notice (should be obvious), because of a new french  law  - yet to be 
adopted - prohibiting among other things the disclosure of tools and data 
aimed as committing cyber crimes :
"No warranty of any kind. Advisory published in an intent to help system 
administrators to apply patches and workarounds to secure their networks 
and systems. These data are not aimed to help anyone doing any illegal 
actions. Such unfair uses of these informations are forbidden."
*** Please fight against this irresponsible law. In a few weeks, if you are 
french and a virus infects your computer, you will be outlaw. If you are 
curious and download nmap/nessus, but don't have any personal network to 
scan, you will be outlaw. But if you are a virus writer, this is "for 
research", so you will have no problem with this law. Wow, how good.***



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC