http://matasanochargen.disqus.com/enThu, 09 Jul 2009 01:26:56 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-12365781I really like reading in this site.. I always learn a lot from you Dave.. Keep it up!!!movingketz002Thu, 09 Jul 2009 01:26:56 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-2322993They did it again:<br><br><a href="http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=616" rel="nofollow">http://labs.idefense.com/intelligence/vulnerabi...</a><br><br>Only this time with strcpyforever.b0rkedTue, 30 Oct 2007 16:23:23 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-2322990Roden:<br><br>The !/bin/sh issue I am referring to is a vulnerability I think I remember from the distant past. I mention that right above the listing of that set of vulnerabilities. If it did exist, it would have been fixed 10+ years ago.Dave G.Fri, 17 Aug 2007 10:33:32 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-2322992Sorry for my hasty spelling in the previous comment.<br><br>If the ftp program is used as a non-root user in AIX 5L 5.3, then the !/bin/sh only gives a shell prompt for the non-root user.<br><br># su - guest<br>$ ftp<br>ftp&gt; !/bin/sh<br>$ id<br>uid=100(guest) gid=100(usr)<br><br><br>The problem is not so simple, but the security flaw exists.<br><br><a href="https://www14.software.ibm.com/webapp/set2/subscriptions/ijhifoeblist?mode=7&amp;heading=AIX53&amp;path=%252F200707%252FSECURITY%252F20070726%252Fdatafile095634&amp;label=UPDATE-AIX+ftp+gets%2528%2529+Buffer+Overflow+Vulnerabilities" rel="nofollow">https://www14.software.ibm.com/webapp/set2/subs...</a><br><br><br>IBM provides the following fixes:<br><br> AIX Level APAR number Availability<br> --------------------------------------------------------------------<br> 5.2.0 IZ01812 10/31/2007 (subject to change)<br> 5.3.0 IZ01813 11/27/2007 (subject to change)<br><br> AIX Version 5 APARs can be downloaded from:<br><br> <a href="http://www.ibm.com/servers/eserver/support/unixservers/aixfixes.html" rel="nofollow">http://www.ibm.com/servers/eserver/support/unix...</a>RodenFri, 17 Aug 2007 06:31:12 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-2322991I was hoping to find something substatial, but in the end it sadly just showed the lack of knowledge of the writes part. Especially since he could not even read the documentation for ftpd: <a href="http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.cmds/doc/aixcmds2/ftpd.htm" rel="nofollow">http://publib.boulder.ibm.com/infocenter/pserie...</a><br><br>And how can someone who claims to have read the AIX5L5.3 code, now even know that the command he propose would give root access, only give the user access as the AIX userid he used to logged in to the ftp server in the first place.<br><br>It was a dissapointingly poor article.RodenFri, 17 Aug 2007 06:20:23 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-2322989Thank you, Dave. The top half of this post really made my morning. The bottom half was pretty good, too, but the top half was <em>inspired</em>.MattMon, 30 Jul 2007 14:43:50 -0000http://www.matasano.com/log/923/this-old-vulnerability-an-aix-ftp-client-retrospective/#comment-2322988I think the vendors of the non-Linux Unices have just decided "fuck it, no one cares."<br><br>I've had colleagues at Sun and SGI explicitly say "no one cares about security."<br><br>I kind of wonder if they're right. I have this feeling (one that I cannot prove) that most folks buying an IRIX/AIX box these days are doing so to maintain some legacy mountain of twisty passages that it would be incredibly painful to move away from. The vendors price accordingly.Dan WeberMon, 30 Jul 2007 08:50:10 -0000