Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Directory Traversal Vulnerabilities in FTP Clients

From: Stephen Samuel <samuel () bcgreen com>
Date: Thu, 12 Dec 2002 08:15:01 -0800
I have a bone to pick with Sun's classification of the FTP traversal
vulnerability as 'not a bug'

Most notably:

   The Solaris ftp mget behaviour is consistent with other BSD derived
   ftp clients, for example on Linux and FreeBSD.  Changing the
   existing behaviour will cause problems.


I will simply classify this comment as "the lemming response": 'Everybosy
else has this bug, so we'll leave it that way'.

First of all, it would appear that Linux (Red-Hat)  and (open)BSD
developers are responding to this issue as a bug and appear to be
developing/distributing solutions.  Secondly, these directory traversal
activities are in response to clearly non-standard responses from
a server. I can't think  of any case where a legitimate FTP server
would respond with those file names and expect that the files would
be installed in such a location.

I don't see how breaking an obvious exploit that has few (if any)
legitimate uses would 'cause problems'. If Sun wants to enable the few
cases where a user actualy *wanted* to enable directory traversal, it
would be easy enough to code in a runtime flag.

This issue is also not only a systems vulnerability. An attacker could,
for example, craft an exploit aimed at a specific user, resulting in
the replacement/destruction of a document with legal/political
significance.  It could also result in the destruction/modification of
system-significant files associated with an account used to do automated
downloads.

The runique and interactive workarounds are only useful for interactive
(not script or batch) downloads, and/or where existing files are not
usually expected to be replaced in the normal course of actions.

In short, I'm very disappointed by Sun's unwillingness to address this
exploit as the bug that it clearly is -- insecure actions in the face
of entirely non-standard input.
--
Stephen Samuel +1(604)876-0426                samuel () bcgreen com
                   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.
Previous By Date Next
Previous By Thread Next

Current thread: