>W.H.J.Pinckaers writes: >> >> sq01at_private <sq01at_private> Wrote >> >> >Hi, >> > > >> > >Short of disabling ftpd completely, is there a work-around that will not >> > >affect our users ? >> > > >> >> >> At this time: NO, but please make sure you are vulnerable first, we >> did discover that this bug is very specific for AIX 4.3.2. (Most other >> AIX versions aren't vulnerable to this particular bug) >> > >Actually, IBM does have an efix for this at: > >ftp://aix.software.ibm.com/aix/efixes/security/ftpd.tar.Z > > ftpd.tar.Z . . . . . . . . . . . Sep 29 06:32 87k I here by I admit that I was wrong, the 5 other email adres they exploit was mailed to didn't get to the right person, check this for the right email adres, and the rest of the story. Also Troy did his job good. first response: >Hi, >Thanks for the bugtraq post. We'll have a fix out later tonight or >early tomorrow (EST). >I listen on the security-alertat_private email address and didn't >see anything regarding this. Who in IBM did you send to? I'm curious >because even a non-working exploit would show that the IAR was >overwritten. At that point, it's definitely a problem that we'd fix as >soon as possible. second response: Quoting W.H.J.Pinckaers (W.H.J.Pinckaersat_private): > > This was mailed about three weeks ago to the following address al > with a question about the corrrect email address for such bugs: > > securityat_private > security-alertat_private > supportat_private > supportat_private > securityat_private > > None of these mails bounced and the subject did make clear it was > a serious mail (and the body did make clear the bug was serious) > and none of these mail yielded a response Sounds like you tried to do the right thing and there was a breakdown somewhere in IBM. I don't know where the security*@ibm.com addresses go, but I've sent email to our postmaster asking about them. > About a week later I was able to get a message to someone at ibm > (nl) Who responded with a mail in dutch stating that: > > - They didn't see any result of the exploit (an earlier version) > - Asked me if i was sure that the FTPD was the one from AIX and > not another one > - Asked me to contact them for further steps > - In effect denied the existence of the bug (i for myself question the > knowledge of this person, i doubt he did ever do anything security > related before (my 2 cents)) Maybe this was a level 1 support person who was trying to screen incoming reports to determine who to contact next. I agree that he wasn't sensitive to the security implications. > I replied with a mail in dutch with the following content (well i don't > have the mail any more so its just from my memory) > - Checking for a vulnerability isn't done by running an exploit. > (espesccially if you don't know what the exploit is supposed to do, > run /tmp/sh in this case) Yep, most of my exploits use: awk 'BEGIN{for(i=0;i<1024;i++)printf"x"}' A core dump with 0x78787878 in the IAR is a bad sign... ;-) > My recommended furter steps: > Check ftpd source for this bug, build a patch and release the patch. Done. We issued an advisory with a temporary fix this morning. Hopefully the bugtraq post will show up soon (lately I've been receiving posts up to 3 days behind). > Check ftpd source for other security bugs, patch them and release > them. Repeat The last step for all daemons and suid program's (to > begin with you still have /tmp races etc) > (off course the latter is just dreaming form me) The official fix will include additional sprintf -> snprintf fixes as well. They don't look exploitable but need to be fixed anyway. We're always looking for new vulnerabilities, so if you know of any more let us know. We'll get symlink races fixed as well. Of course we prioritize based on severity, i.e., the ftpd report will always be fixed before a symlink race in the sort command. > About a week ago i mailed this person (nlx3277at_private, J.P. > Moelaert AIX support, the Netherlands) asking him to inform me of > the progress with the bug, I still haven't received a reply. At this > time Gerrie did mail the exploit (without extra explanation) to > bugtraq and Viola a reply from someone who seems to be able to > fix it in one day. We actually found the exploit (on packetstorm, I think) on Monday so we were almost finished with the fix when we saw the bugtraq post. In general, for a simple buffer overflow like this one, we can turn around a temporary fix in 2 to 3 days. > P.S. I assume i can mail you directly in the future if i happen to find > another bug? Yes, please. Also copy security-alertat_private in case I ever get a vacation. ;-) > P.S. 2: In the exploit are a couple of questions (like does TOC > matter, what is TOC, how fixed are the adresses etc) is it possible > to get these questions answered? (Just out of curiosity I don't > really know much about RS6000 since i don't have access to one > (OK i have had access for 3 days during Hit2000 in which i did find > and exploited the bug) I don't think I should give you too many answers. :-) However, our AIX documentation is available on the web: http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixgen/ In particular, you might want to start with the section on Subroutine Linkage Conventions or the "Programming the TOC" page: http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixassem/alangref/\ linkage_convent.htm http://www.rs6000.ibm.com/doc_link/en_US/a_doc_lib/aixassem/alangref/\ program_toc.htm Remote exploits on AIX are difficult due to hardware differences and changes between releases (although they are possible, as you've shown). Being able to find and exploit one in 3 days is quite a feat. Besides problems related to TOC and upper case conversion, the ftpd buffer overflow shell code must avoid 0xff bytes because ftpd ignores them. > P.S. 3: www.rs6000.ibm.com is vulnerable (checked by sending a > 5000 char string to the ftpd, it died) this is austin.ibm.com (if I > remember correctly) > Thanks. We're in the process of notifying the IBM external ftp servers now. -- Troy Bollinger troyat_private AIX Security Development security-alertat_private PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:06:03 PDT