Vulnerability Note VU#258721
Various FTP clients fail to account for pipe (|) characters in default file names
Various FTP client implementations do not correctly handle files whose name begins with the "|" (pipe) character.
Most FTP clients include a feature in which the remote filename is used as the local filename in a GET (RETR) operation. For example, many FTP clients support syntax similar to the following:
ftp> get file.name local.name
Some FTP clients with both features present a security risk. If the name of the remote file begins with a pipe character (|), and an FTP client relies on the default local filename, the contents of the file will be piped through a command based on the name of the remote file. Specifically, the command will be the name of the remote file without the leading pipe (|) character. For example, if the remote file is named |logger, with the contents
In October of 1997, IBM's Emergency Response Service published a security advisory (ERS-SVA-E01-1997:009.1) detailing a vulnerability in the AIX FTP client. Quoting from ERS-SVA-E01-1997:009.1:
In 2003, this problem was discovered to have affected FTP clients that weren't fixed when the problem was originally discovered, most notably including the FTP client from MIT, which is redistributed by some operating system vendors such as Red Hat. The list of vendors below includes as "vulnerable" vendors who fixed their FTP clients in the 1997 time frame. Follow the links to individual vendor records for more detailed information.
A malicious server can execute arbitrary code on a victim FTP client.
Apply a vendor-supplied patch.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|MIT Kerberos Development Team||Affected||17 Jan 2003||24 Jan 2003|
|Red Hat Inc.||Affected||16 Jan 2003||03 Feb 2003|
|Sun Microsystems Inc.||Affected||16 Jan 2003||24 Jan 2003|
|Xerox Corporation||Affected||16 Jan 2003||30 May 2003|
|Apple Computer Inc.||Not Affected||16 Jan 2003||20 Jan 2003|
|Cisco Systems Inc.||Not Affected||16 Jan 2003||24 Jan 2003|
|Cray Inc.||Not Affected||16 Jan 2003||16 Jan 2003|
|FreeBSD||Not Affected||16 Jan 2003||21 Jan 2003|
|Hewlett-Packard Company||Not Affected||16 Jan 2003||28 Jan 2003|
|Hitachi||Not Affected||16 Jan 2003||24 Jan 2003|
|IBM||Not Affected||16 Jan 2003||16 Jan 2003|
|Ingrian Networks||Not Affected||16 Jan 2003||17 Jan 2003|
|Juniper Networks||Not Affected||16 Jan 2003||20 Jan 2003|
|MontaVista Software||Not Affected||16 Jan 2003||20 Jan 2003|
|NetBSD||Not Affected||16 Jan 2003||24 Jan 2003|
CVSS Metrics (Learn More)
Thanks to Fozzy of The Hackademy Audit Project for bringing this issue to our attention.
This document was written by Ian A. Finlay & Shawn V. Hernan.
- CVE IDs: CVE-1999-0097
- Date Public: 27 Oct 97
- Date First Published: 24 Jan 2003
- Date Last Updated: 05 Feb 2003
- Severity Metric: 17.69
- Document Revision: 49
If you have feedback, comments, or additional information about this vulnerability, please send us email.