-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Wed Aug 25 15:51:53 CDT 2010

The most recent version of this document is available here:

http://aix.software.ibm.com/aix/efixes/security/ftpd_advisory.asc
| Updated: Thu Aug 26 14:00:58 CDT 2010
| Fixed the download link and extract fixes
| Added additional exploit reference under DESCRIPTION 
| Fixed the WORKAROUND
| Fixed the THREAT
| Added VIOS information

                           VULNERABILITY SUMMARY

VULNERABILITY:   AIX ftpd buffer overflow vulnerability

PLATFORMS:       AIX 5.3, and earlier releases 
                 VIOS 1.5, and earlier releases

SOLUTION:        Apply the fix or workaround as described below.

THREAT:          A remote attacker may be able to execute arbirary
                 code on a vulnerable system.

CERT VU Number:  n/a
CVE Number:      n/a

Reboot required?    NO
Workarounds?        YES
Protected by FPM?   NO
Protected by SED?   NO

                           DETAILED INFORMATION

I. DESCRIPTION

    There is a buffer overflow vulnerability in the ftp server. By 
    issuing an overly long NLST command, an attacker may cause a 
    buffer overflow. 

    The successful exploitation of this vulnerability allows a remote 
    attacker to get the DES encrypted user hashes off the server if 
    FTP is configured to allow write access using Anonymous account
    or another account that is available to the attacker.

    The following executable is vulnerable:

        /usr/sbin/ftpd

    Please see the following for more information:
    http://www.exploit-db.com/exploits/14456/
    http://www.exploit-db.com/exploits/14409/

II. PLATFORM VULNERABILITY ASSESSMENT

    Note: To use the following commands on VIOS you must first
    execute:

    oem_setup_env

    To determine if your system is vulnerable, execute the following
    command:

    lslpp -L bos.net.tcp.client

    The following fileset levels are vulnerable:

    AIX Fileset        Lower Level     Upper Level
    ------------------------------------------------
    bos.net.tcp.client 5.3.9.0         5.3.9.9
    bos.net.tcp.client 5.3.10.0        5.3.10.4
    bos.net.tcp.client 5.3.11.0        5.3.11.4
    bos.net.tcp.client 5.3.12.0        5.3.12.1

III. SOLUTION

    A. FIXES

        Fixes are now available.  The fixes can be downloaded from:

        http://aix.software.ibm.com/aix/efixes/security/ftpd_ifix.tar

        The links above are to a tar file containing this signed
        advisory, fix packages, and PGP signatures for each package.

        AIX Level    VIOS Level       Fix
        ------------------------------------------------------
        5.3.9        1.5.2            IZ83252_09.100824.epkg.Z 
        5.3.10                        IZ83274_10.100824.epkg.Z 
        5.3.11                        IZ83275_11.100824.epkg.Z 
        5.3.12                        IZ83276_12.100824.epkg.Z 

        To extract the fixes from the tar file:

        tar xvf ftpd_ifix.tar
        cd ftpd_ifix

        Verify you have retrieved the fixes intact:

        The checksums below were generated using the "csum -h SHA1"
        (sha1sum) commands and are as follows:

        csum -h SHA1 (sha1sum)                    filename
        ------------------------------------------------------------------
        eebecb166c86462ce5ae150fa60a82dc08cfccda  IZ83252_09.100824.epkg.Z
        4598a4079cfe45b545c7d1d96dacbf4dda1b486e  IZ83274_10.100824.epkg.Z
        916fc41925d77c31478af8bd80e417d020fc6037  IZ83275_11.100824.epkg.Z
        99117134e3cda009c6e19f5f334210e1a5ac4bab  IZ83276_12.100824.epkg.Z

        To verify the sums, use the text of this advisory as input to
        csum or sha1sum. For example:

        csum -h SHA1 -i ftpd_advisory.asc
        sha1sum -c ftpd_advisory.asc

        These sums should match exactly. The PGP signatures in the tar
        file and on this advisory can also be used to verify the
        integrity of the fixes.  If the sums or signatures cannot be
        confirmed, contact IBM AIX Security and describe the
        discrepancy at the following addresses:

            security-alert@austin.ibm.com

     B. FIX INSTALLATION

        IMPORTANT: If possible, it is recommended that a mksysb backup
        of the system be created.  Verify it is both bootable and
        readable before proceeding.

        Fix management documentation can be found at:

        http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html

        To preview fix installation:

        emgr -e fix_name -p         # where fix_name is the name of the  
                                    # fix being previewed.

        To install fix package:

        emgr -e fix_name -X         # where fix_name is the name of the  
                                    # fix being installed.

    C. APARS

        IBM has assigned the following APARs to this problem:

        AIX Level           APAR number        Service pack date
        --------------------------------------------------------
        5.3.9               IZ83252            tbd
        5.3.10              IZ83274            tbd
        5.3.11              IZ83275            tbd
        5.3.12              IZ83276            tbd

        Subscribe to the APARs here:

        http://www.ibm.com/support/docview.wss?uid=isg1IZ83252
        http://www.ibm.com/support/docview.wss?uid=isg1IZ83274
        http://www.ibm.com/support/docview.wss?uid=isg1IZ83275
        http://www.ibm.com/support/docview.wss?uid=isg1IZ83276

        By subscribing, you will receive periodic email alerting you
        to the status of the APAR, and a link to download the service
        pack when it becomes available.

IV. WORKAROUND

    Configure the FTP server to disallow anonymous write authority only
    makes it so that the vulnerability cannot be exploited anonymously. 
    It can still be exploited by an authenticated user. The only complete
    workaround is to disable the FTP daemon:

      chsubserver -d -v ftp -p tcp
      refresh -s inetd
    
VI. CONTACT INFORMATION

    If you would like to receive AIX Security Advisories via email,
    please visit:
 
        http://www.ibm.com/systems/support
 
    and click on the "My notifications" link.
 
    To view previously issued advisories, please visit:
 
        http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
 
    Comments regarding the content of this announcement can be
    directed to:

        security-alert@austin.ibm.com
 
    To obtain the PGP public key that can be used to communicate
    securely with the AIX Security Team you can either:

        A. Send an email with "get key" in the subject line to:

            security-alert@austin.ibm.com

        B. Download the key from our web page:

  http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt

        C. Download the key from a PGP Public Key Server. The key ID is:

            0x28BFAA12
 
    Please contact your local IBM AIX support center for any
    assistance.
 
    eServer is a trademark of International Business Machines
    Corporation.  IBM, AIX and pSeries are registered trademarks of
    International Business Machines Corporation.  All other trademarks
    are property of their respective holders.

VII. ACKNOWLEDGMENTS

    This vulnerability was publicly disclosed by Kingcope.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)

iD8DBQFMpgvT4fmd+Ci/qhIRAnzVAJ488OLJm3nZLmKQR35se8R8p6WRIQCfV7AG
dpSLVBZ7YsAJanr2XlbF58s=
=aSBH
-----END PGP SIGNATURE-----