This Old Vulnerability: An AIX FTP client retrospective
Dave G. | July 30th, 2007 | Filed Under: This Old Vulnerability
Welcome to the pre-blackhat edition of This Old Vulnerability. iDefense recently put out an advisory on AIX’s ftp client. Let’s start out with a joke:
Knock Knock!
Who’s There?
AIX’s Team.
AIX’s Team Who?
AIX’s Team, who, besides you, ships ftp clients setuid root in 2007?
Yeah. I don’t get it either. Now you might think that is the most humorous thing I can say about AIX’s setuid root ftp client. Sadly, you are mistaken. This ftp client has had a history of security vulnerabilities. Let’s talk about the most recent iDefense one and work our way back.
This setuid-root ftp client has a buffer overflow in it. Not just a buffer overflow, but a stack-based buffer overflow (I could swear it’s 2007). Not just a stack-based buffer overflow, but the most simple kind, an unbounded read from user input. (I don’t remember 2006 very well, but all of my computers say 2007) Even more entertaining, it is due to calls to gets(). (Is this the Morris worm? Am I trapped inside of 1987?)
To understand this further, I caught up with one of the world’s foremost authority on gets():
Q: gcc What do you think of the gets() function?
A: gcc: What: No such file or directory
gcc: do: No such file or directory
gcc: you: No such file or directory
gcc: think: No such file or directory
gcc: of: No such file or directory
gcc: the: No such file or directory
gcc: gets(): No such file or directory
gcc: function?: No such file or directory
gcc: no input files
Q: Oh, sorry, my bad. I will submit my question in the form of C code.
gcc -o gets-question gets-question.c
A:
/tmp/ccPW3krf.o: In function ‘main’:
/tmp/ccPW3krf.o(.text+0x24): the ‘gets’ function is dangerous and should not be used.
Q: Thank you for your time.
So, to recap, in the year 2007, there is a commercial operating system shipping a setuid-root ftp client with calls to gets() in it.
Now, this story could end here. Old forgotten code that no one has looked at in awhile. However, I distinctly remembered that there has been a history of vulnerabilities in this superfluously setuid root code. Almost as good as the sendmail debug vulnerabilities, the archive footage for this vulnerability shows:
AIX ftp tftp and utftp Core Dump Vulnerability Some versions of ftpd, tftpd, and utftpd under AIX use the gets() system call to gather information from standard input (STDIN). The gets() system call has no means to denote size of the string it is handling and allows for an infinite amount of data to be passed into it. The problem lies in that the code in ftpd tftpd and utftpd which takes data from the gets() call places it in a fixed buffer. This buffer can be overflown resulting in the applications dumping core. Because these programs are run as root, the core images may contain critical root owned pieces of memory, such as user names and passwords.
The description is totally confusing at first. The title says it’s the clients that have the vulnerabilties, but the description says it’s the servers. Which are we to believe? I believe it to be the clients. I believe this for two reasons.
The title for the vulnerability can be found in other documents on the Internet.
There is no evidence that AIX shipped with a utftpd. But you can find man pages for a utftp with is a version of tftp for use in pipes.
I wonder if these are the same gets() calls from the iDefense advisory. I really wonder how they fixed the original vulnerabilities (rlimits on coredumps?). I really really wonder why this all has to be setuid…
Here are some other vulnerabilities that have impacted their ftp client in the past:
IX70885 SECURITY: FTP CLIENT INTERPRETS SERVER PROVIDED FILENAMES. The ftp client can be tricked into running arbitrary commands supplied by the remote server. When the remote file begins with a pipe symbol, the ftp client will process the contents of the remote file as a shell script.
IX85556 SECURITY: BUFFER OVERFLOW IN FTP CLIENT. When parsing a 227 message, the ftp client may generate a segmentation violation and core dump. (and by segmentation violation and dump core, we mean run attacker supplied machine code as root).
IY13781 SECURITY: FORMAT STRING VULNERABILITY IN FTP CLIENT. The ftp client shipped with AIX version 4.3.X contains a format string buffer overflow in the quote command. Since the ftp client is setuid root, this allows a local attacker to gain root privileges.
ftp> !/bin/sh (*)
(*) I really remember this being a vulnerability, but can’t find confirmation. It is possible that I have implicated ftp in tprof’s crime.
Dan Weber
July 30th, 2007 8:50 amI think the vendors of the non-Linux Unices have just decided “fuck it, no one cares.”
I’ve had colleagues at Sun and SGI explicitly say “no one cares about security.”
I kind of wonder if they’re right. I have this feeling (one that I cannot prove) that most folks buying an IRIX/AIX box these days are doing so to maintain some legacy mountain of twisty passages that it would be incredibly painful to move away from. The vendors price accordingly.
Matt
July 30th, 2007 2:43 pmThank you, Dave. The top half of this post really made my morning. The bottom half was pretty good, too, but the top half was inspired.
Ma petite parcelle d'Internet...
July 30th, 2007 6:57 pmOld style vulns et machines à voter…
Certes, l’été se fait froid, mais ce n’est cependant pas encore Noël. Et pourtant… D’abord, c’est iDefense qui réveille les gens d’IBM avec cette série de stack overflows sur le client FTP d’AIX…
Roden
August 17th, 2007 6:20 amI was hoping to find something substatial, but in the end it sadly just showed the lack of knowledge of the writes part. Especially since he could not even read the documentation for ftpd: http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds2/ftpd.htm
And how can someone who claims to have read the AIX5L5.3 code, now even know that the command he propose would give root access, only give the user access as the AIX userid he used to logged in to the ftp server in the first place.
It was a dissapointingly poor article.
Roden
August 17th, 2007 6:31 amSorry for my hasty spelling in the previous comment.
If the ftp program is used as a non-root user in AIX 5L 5.3, then the !/bin/sh only gives a shell prompt for the non-root user.
# su - guest
$ ftp
ftp> !/bin/sh
$ id
uid=100(guest) gid=100(usr)
The problem is not so simple, but the security flaw exists.
https://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7&heading=AIX53&path=%2F200707%2FSECURITY%2F20070726%2Fdatafile095634&label=UPDATE-AIX+ftp+gets%28%29+Buffer+Overflow+Vulnerabilities
IBM provides the following fixes:
AIX Level APAR number Availability
——————————————————————–
5.2.0 IZ01812 10/31/2007 (subject to change)
5.3.0 IZ01813 11/27/2007 (subject to change)
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html
Dave G.
August 17th, 2007 10:33 amRoden:
The !/bin/sh issue I am referring to is a vulnerability I think I remember from the distant past. I mention that right above the listing of that set of vulnerabilities. If it did exist, it would have been fixed 10+ years ago.
forever.b0rked
October 30th, 2007 4:23 pmThey did it again:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616
Only this time with strcpy
Leave a reply