A lot of old bugs have been biting us on the butt lately, and here’s another to add to the list. This week it was discovered a fairly nasty FTP Flaw Allows Command Execution when using the old but still fairly widely used. tnftp client
It’s a fairly unlikely set of circumstances however, and it is a client flaw not a server flaw – so you’d need to connect to a malicious server using tnftp to fall foul of this flaw.
Basically if you request a file, but don’t use the -o flag to specify an output filename the client will follow HTTP redirects and if the output of the filename begins with a pipe it will pass the rest to popen.
A serious vulnerability has been discovered in a File Transfer Protocol (FTP) client used by many Unix-like (*NIX) operating systems, representatives of the NetBSD Project reported on Tuesday.
The tnftp FTP client is fairly old, but it’s still widely used. It can be found in Red Hat’s Fedora, Debian, NetBSD, FreeBSD, OpenBSD, and even Apple’s OS X operating systems.
Jared McNeill, a software developer at the NetBSD Project, has identified a vulnerability that can be exploited via a malicious Web server to cause tnftp to execute arbitrary commands. The CVE-2014-8517 identifier has been assigned to the flaw.
FTP Vulnerability”If you do ‘ftp http://server/path/file.txt'; and don’t specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands,” Alistair Crooks, security officer at the NetBSD Project, explained in an advisory published on the Full Disclosure mailing list. “The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified).”
The flaw was however fixed in OpenBSD FIVE YEARS ago, shame no one noticed and they didn’t make more noise about it. Although it was fixed from another perspective, not to remedy this exact flaw.
Patches are coming out for this pretty fast, and it even effects the latest Apple OS X version Yosemite (10.10) – although I don’t expect Apple to really do anything much about it.
After it resolves the output filename, it checks to see if the output filename begins with a “|”, and if so, passes the rest to popen(3),” Crooks added.
The list of operating system developers that appear to be aware of the flaw includes Debian, Red Hat, Gentoo, Novell (SuSE Linux), DragonFly, FreeBSD, and Apple. Debian, Red Hat, Gnetoo and Novell have each published advisories for the bug.
The tnftp vulnerability affects OS X Yosemite 10.10, the latest version of the Mac operating system. Apple has been notified, but Crooks says he received only a “boilerplate reply” from the company.
Interestingly, the issue was fixed in OpenBSD five years ago.
“I changed OpenBSD’s ftp(1) a while ago to just use the ‘filename’ part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) – it’s a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile),” Stuart Henderson of OpenBSD wrote in response to Crooks’ post.
Look out for patches for your OS, or install another ftp client (that may or may not be more secure) at your own risk. I can’t see a whole lot of damage being caused via this, as it’s a client side rather than server side issue – but some people might try and have some fun with it.
But honestly, how often are *nix users accessing web resources using a FTP client rather than CURL or wget?
Anyway, we shall see if anything comes of this.
Source: Security Week