From kragen@dnaco.net Thu Jul 23 16:47:26 1998 -0400 Date: Thu, 23 Jul 1998 16:47:25 -0400 (EDT) From: Kragen To: support_feedback@europe-support.external.hp.com cc: BUGTRAQ@NETSPACE.ORG Subject: Re: Security Bulletins Digest In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Keywords: X-UID: 726 Status: O X-Status: On Thu, 23 Jul 1998 vtmue@HEAVEN.RUF.UNI-FREIBURG.DE wrote: > ------------------------------------------------------------------------- > PROBLEM: ftp client interprets server provided filenames which can > cause commands to be run on the client. This sounds an awful lot like something that was on BUGTRAQ some time ago. Last year? Two years ago? > DAMAGE: Local users can increase their privileges If this really is the damage, that's rather surprising. That means HP's ftp client runs with more privileges than the user running it, which is not kosher. Is this the case? If HP's ftp client is interpreting things the same way the old BSD ftp client did, this is much worse. If this is the case, then a malicious ftp-site admin who can trick you into downloading several files from their site (so you're tempted to use mget) can get access on your box; if they can trick you into downloading several hundred files, they can get access most likely without you even noticing (because you won't sit and watch the filenames scroll by, will you?); and if they can trick you into downloading those files as root, they can get root access. If the problem is *anything* like what they say it is, the impact is that remote users who run ftp sites can cause local users to do things they didn't mean to do. I think this warrants further investigation by someone with an HP box. More quotes: > The ftp client can be tricked into running arbitrary commands > supplied by the remote server. > Permission is granted for copying and circulating this Bulletin to > Hewlett-Packard (HP) customers (or the Internet community) for the > purpose of alerting them to problems, if and only if, the Bulletin > is not edited or changed in any way, is attributed to HP, and > provided such reproduction and/or distribution is performed for > non-commercial purposes. > > Any other use of this information is prohibited. Fortunately for us, US law does not currently allow them to prohibit other use of this information. Kragen