I have a bone to pick with Sun's classification of the FTP traversal vulnerability as 'not a bug' Most notably:
The Solaris ftp mget behaviour is consistent with other BSD derived ftp clients, for example on Linux and FreeBSD. Changing the existing behaviour will cause problems.
I will simply classify this comment as "the lemming response": 'Everybosy else has this bug, so we'll leave it that way'. First of all, it would appear that Linux (Red-Hat) and (open)BSD developers are responding to this issue as a bug and appear to be developing/distributing solutions. Secondly, these directory traversal activities are in response to clearly non-standard responses from a server. I can't think of any case where a legitimate FTP server would respond with those file names and expect that the files would be installed in such a location. I don't see how breaking an obvious exploit that has few (if any) legitimate uses would 'cause problems'. If Sun wants to enable the few cases where a user actualy *wanted* to enable directory traversal, it would be easy enough to code in a runtime flag. This issue is also not only a systems vulnerability. An attacker could, for example, craft an exploit aimed at a specific user, resulting in the replacement/destruction of a document with legal/political significance. It could also result in the destruction/modification of system-significant files associated with an account used to do automated downloads. The runique and interactive workarounds are only useful for interactive (not script or batch) downloads, and/or where existing files are not usually expected to be replaced in the normal course of actions. In short, I'm very disappointed by Sun's unwillingness to address this exploit as the bug that it clearly is -- insecure actions in the face of entirely non-standard input. -- Stephen Samuel +1(604)876-0426 samuel@bcgreen.com http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life.
