NetBSD ftpd Request Processing Bug Permits Cross-Site Request Forgery Attacks
|
|
SecurityTracker Alert ID: 1021112
|
|
SecurityTracker URL: http://securitytracker.com/id?1021112
|
|
CVE Reference: CVE-2008-4247
(Links to External Site)
|
Date: Oct 28 2008
|
Impact: Execution of arbitrary code via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: NetBSD Security Advisory
|
Description: A vulnerability was reported in NetBSD ftpd. A remote user can conduct cross-site request forgery attacks.
Long 'ftp://' URLs may be split by the FTP server into multiple requests. A remote user can create a specially crafted 'ftp://'
URL that, when loaded by the authenticated target user, will cause arbitrary commands to be executed on the target FTP server with
the privileges of the target user.
Maksymilian Arciemowicz of securityreason.com reported this vulnerability.
|
Impact: A remote user can cause arbitrary commands to be executed by the authenticated target user on the target NetBSD ftpd site.
|
Solution: The vendor has issued a source code fix.
The vendor's advisory is available at:
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
|
Vendor URL: ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: UNIX (NetBSD)
|
Underlying OS Comments: 3.0, 3.1, 4.0
|
Reported By: NetBSD Security-Officer <security-officer@NetBSD.org>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 27 Oct 2008 22:46:19 +0000
From: NetBSD Security-Officer <security-officer@NetBSD.org>
Subject: NetBSD Security Advisory 2008-014: Cross-site request forgery in
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2008-014
=================================
Topic: Cross-site request forgery in ftpd(8)
Version: NetBSD-current: affected
NetBSD 4.0.*: not affected
NetBSD 4.0: affected
NetBSD 3.1.*: affected
NetBSD 3.1: affected
NetBSD 3.0.*: affected
NetBSD 3.0: affected
Severity: Cross-site request forgery
Fixed: NetBSD-current: September 13, 2008
NetBSD-4-0 branch: September 18, 2008
(4.0.1 includes the fix)
NetBSD-4 branch: September 18, 2008
(4.1 will include the fix)
NetBSD-3-1 branch: September 18, 2008
(3.1.2 will include the fix)
NetBSD-3-0 branch: September 18, 2008
(3.0.4 will include the fix)
NetBSD-3 branch: September 18, 2008
(3.2 will include the fix)
pkgsrc: tnftpd-20081009 corrects the issue
Abstract
========
When accessing NetBSD servers running ftpd(8) certain commands can aide
attackers in executing CSRF attacks when e.g. using a web browser to
access ftp servers.
This vulnerability has been assigned CVE-2008-4247.
Technical Details
=================
When accessing NetBSD servers running ftpd(8) long commands are split
into multiple requests which can result in CSRF attacks.
Solutions and Workarounds
=========================
Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.
ftpd(8) is not enabled by default in NetBSD generic installations.
As a temporary workaround disable ftpd(8) from the base OS and use the
tnftpd-20081009 package from pkgsrc which contains a fix.
The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and installing
a new version of ftpd.
* NetBSD-current:
Systems running NetBSD-current dated from before 2008-09-13
should be upgraded to NetBSD-current dated 2008-09-14 or later.
The following files/directories need to be updated from the
netbsd-current CVS branch (aka HEAD):
libexec/ftpd
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -d -P libexec/ftpd
# cd libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 4.*:
Systems running NetBSD 4.* sources dated from before
2008-09-18 should be upgraded from NetBSD 4.* sources dated
2008-09-19 or later.
The following files/directories need to be updated from the
netbsd-4 or netbsd-4-0 branches:
libexec/ftpd
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -r <branch_name> -d -P libexec/ftpd
# cd libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
* NetBSD 3.*:
Systems running NetBSD 3.* sources dated from before
2008-09-18 should be upgraded from NetBSD 3.* sources dated
2008-09-19 or later.
The following files/directories need to be updated from the
netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
libexec/ftpd
To update from CVS, re-build, and re-install ipsec-tools:
# cd src
# cvs update -r <branch_name> -d -P libexec/ftpd
# cd libexec/ftpd
# make USETOOLS=no cleandir dependall
# make USETOOLS=no install
Thanks To
=========
Maksymilian Arciemowicz is credited with the discovery of this issue.
Luke Mewburn for supplying the fixes and testing.
Revision History
================
2008-10-27 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.
Copyright 2008, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)
iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx
Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I
7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc
qw1m1Cy1X7g=
=Motz
-----END PGP SIGNATURE-----
|
|
