=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN327
_____________________________________________________________________

DATE                      : 30/08/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : IBM AIX versions running AIX ftpd.

======================================================================
http://aix.software.ibm.com/aix/efixes/security/ftpd_advisory.asc
______________________________________________________________________

IBM SECURITY ADVISORY

First Issued: Wed Aug 25 15:51:53 CDT 2010

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/ftpd_advisory.asc

                           VULNERABILITY SUMMARY

VULNERABILITY:   AIX ftpd buffer overflow vulnerability

PLATFORMS:       AIX 5.3, and earlier releases

SOLUTION:        Apply the fix or workaround as described below.

THREAT:          A remote attacker may be able to execute arbirary
                 code on a vulnerable server.

CERT VU Number:  n/a
CVE Number:      n/a

Reboot required?    NO
Workarounds?        YES
Protected by FPM?   NO
Protected by SED?   NO

                           DETAILED INFORMATION

I. DESCRIPTION

    There is a buffer overflow vulnerability in the ftp server. By
    issuing an overly long NLST command, an attacker may cause a
    buffer overflow.

    The successful exploitation of this vulnerability allows a remote
    attacker to get the DES encrypted user hashes off the server if
    FTP is configured to allow write access using Anonymous account
    or another account that is available to the attacker.

    The following executable is vulnerable:

        /usr/sbin/ftpd

    Please see the following for more information:
    http://www.exploit-db.com/exploits/14456/

II. PLATFORM VULNERABILITY ASSESSMENT

    Note: To use the following commands on VIOS you must first
    execute:

    oem_setup_env

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L bos.net.tcp.client

    The following fileset levels are vulnerable:

    AIX Fileset        Lower Level     Upper Level
    ------------------------------------------------
    bos.net.tcp.client 5.3.9.0         5.3.9.9
    bos.net.tcp.client 5.3.10.0        5.3.10.4
    bos.net.tcp.client 5.3.11.0        5.3.11.4
    bos.net.tcp.client 5.3.12.0        5.3.12.1

III. SOLUTION

    A. FIXES

        Fixes are now available.  The fixes can be downloaded from:

        http://aix.software.ibm.com/aix/efixes/security/ftpd_fix.tar

        The links above are to a tar file containing this signed
        advisory, fix packages, and PGP signatures for each package.

        AIX Level    VIOS Level       Fix
        ------------------------------------------------------
        5.3.9                         IZ83252_09.100824.epkg.Z
        5.3.10                        IZ83274_10.100824.epkg.Z
        5.3.11                        IZ83275_11.100824.epkg.Z
        5.3.12                        IZ83276_12.100824.epkg.Z

        To extract the fixes from the tar file:

        tar xvf qoslist_fix.tar
        cd qoslist_fix

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the "csum -h SHA1"
        (sha1sum) commands and are as follows:

        csum -h SHA1 (sha1sum)                    filename
        ------------------------------------------------------------------
        eebecb166c86462ce5ae150fa60a82dc08cfccda  IZ83252_09.100824.epkg.Z
        4598a4079cfe45b545c7d1d96dacbf4dda1b486e  IZ83274_10.100824.epkg.Z
        916fc41925d77c31478af8bd80e417d020fc6037  IZ83275_11.100824.epkg.Z
        99117134e3cda009c6e19f5f334210e1a5ac4bab  IZ83276_12.100824.epkg.Z

        To verify the sums, use the text of this advisory as input to
        csum or sha1sum. For example:

        csum -h SHA1 -i ftpd_advisory.asc
        sha1sum -c ftpd_advisory.asc

        These sums should match exactly. The PGP signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security and describe the
        discrepancy at the following addresses:

            security-alert@austin.ibm.com

     B. FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        Fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview fix installation:

        emgr -e fix_name -p         # where fix_name is the name of the
                                    # fix being previewed.

        To install fix package:

        emgr -e fix_name -X         # where fix_name is the name of the
                                    # fix being installed.

    C. APARS

        IBM has assigned the following APARs to this problem:

        AIX Level           APAR number        Service pack date
        --------------------------------------------------------
        5.3.9               IZ83252            tbd
        5.3.10              IZ83274            tbd
        5.3.11              IZ83275            tbd
        5.3.12              IZ83276            tbd

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IZ83252
        http://www.ibm.com/support/docview.wss?uid=isg1IZ83274
        http://www.ibm.com/support/docview.wss?uid=isg1IZ83275
        http://www.ibm.com/support/docview.wss?uid=isg1IZ83276

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the service
        pack when it becomes available.

IV. WORKAROUND

    Configure ftp daemon to disallow write access to anonymous FTP
    users will limit the ability to create a directory that can
    trigger this vulnerability.

VI. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:

        http://www.ibm.com/systems/support

    and click on the "My notifications" link.

    To view previously issued advisories, please visit:

        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd

    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com

    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from our web page:

  http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

        C. Download the key from a PGP Public Key Server. The key ID is:

            0x28BFAA12

    Please contact your local IBM AIX support center for any
    assistance.

    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.

VII. ACKNOWLEDGMENTS

    This vulnerability was publicly disclosed by Kingcope.
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================