-
Website
http://www.matasano.com/log -
Original page
http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/ -
Subscribe
All Comments -
Community
-
-
Top Commenters
-
Popular Threads
I've had colleagues at Sun and SGI explicitly say "no one cares about security."
I kind of wonder if they're right. I have this feeling (one that I cannot prove) that most folks buying an IRIX/AIX box these days are doing so to maintain some legacy mountain of twisty passages that it would be incredibly painful to move away from. The vendors price accordingly.
And how can someone who claims to have read the AIX5L5.3 code, now even know that the command he propose would give root access, only give the user access as the AIX userid he used to logged in to the ftp server in the first place.
It was a dissapointingly poor article.
If the ftp program is used as a non-root user in AIX 5L 5.3, then the !/bin/sh only gives a shell prompt for the non-root user.
# su - guest
$ ftp
ftp> !/bin/sh
$ id
uid=100(guest) gid=100(usr)
The problem is not so simple, but the security flaw exists.
https://www14.software.ibm.com/webapp/set2/subs...
IBM provides the following fixes:
AIX Level APAR number Availability
--------------------------------------------------------------------
5.2.0 IZ01812 10/31/2007 (subject to change)
5.3.0 IZ01813 11/27/2007 (subject to change)
AIX Version 5 APARs can be downloaded from:
http://www.ibm.com/servers/eserver/support/unix...
The !/bin/sh issue I am referring to is a vulnerability I think I remember from the distant past. I mention that right above the listing of that set of vulnerabilities. If it did exist, it would have been fixed 10+ years ago.
http://labs.idefense.com/intelligence/vulnerabi...
Only this time with strcpy