Serious Linux/UNIX FTP Flaw Allows Command Execution


A lot of old bugs have been biting us on the butt lately, and here’s another to add to the list. This week it was discovered a fairly nasty FTP Flaw Allows Command Execution when using the old but still fairly widely used. tnftp client

It’s a fairly unlikely set of circumstances however, and it is a client flaw not a server flaw – so you’d need to connect to a malicious server using tnftp to fall foul of this flaw.

Linux/UNIX FTP Flaw Allows Command Execution

Basically if you request a file, but don’t use the -o flag to specify an output filename the client will follow HTTP redirects and if the output of the filename begins with a pipe it will pass the rest to popen.

A serious vulnerability has been discovered in a File Transfer Protocol (FTP) client used by many Unix-like (*NIX) operating systems, representatives of the NetBSD Project reported on Tuesday.

The tnftp FTP client is fairly old, but it’s still widely used. It can be found in Red Hat’s Fedora, Debian, NetBSD, FreeBSD, OpenBSD, and even Apple’s OS X operating systems.

Jared McNeill, a software developer at the NetBSD Project, has identified a vulnerability that can be exploited via a malicious Web server to cause tnftp to execute arbitrary commands. The CVE-2014-8517 identifier has been assigned to the flaw.

FTP Vulnerability”If you do ‘ftp http://server/path/file.txt’; and don’t specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands,” Alistair Crooks, security officer at the NetBSD Project, explained in an advisory published on the Full Disclosure mailing list. “The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified).”


The flaw was however fixed in OpenBSD FIVE YEARS ago, shame no one noticed and they didn’t make more noise about it. Although it was fixed from another perspective, not to remedy this exact flaw.

Patches are coming out for this pretty fast, and it even effects the latest Apple OS X version Yosemite (10.10) – although I don’t expect Apple to really do anything much about it.

After it resolves the output filename, it checks to see if the output filename begins with a “|”, and if so, passes the rest to popen(3),” Crooks added.

The list of operating system developers that appear to be aware of the flaw includes Debian, Red Hat, Gentoo, Novell (SuSE Linux), DragonFly, FreeBSD, and Apple. Debian, Red Hat, Gnetoo and Novell have each published advisories for the bug.

The tnftp vulnerability affects OS X Yosemite 10.10, the latest version of the Mac operating system. Apple has been notified, but Crooks says he received only a “boilerplate reply” from the company.

Interestingly, the issue was fixed in OpenBSD five years ago.

“I changed OpenBSD’s ftp(1) a while ago to just use the ‘filename’ part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) – it’s a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile),” Stuart Henderson of OpenBSD wrote in response to Crooks’ post.

Look out for patches for your OS, or install another ftp client (that may or may not be more secure) at your own risk. I can’t see a whole lot of damage being caused via this, as it’s a client side rather than server side issue – but some people might try and have some fun with it.

But honestly, how often are *nix users accessing web resources using a FTP client rather than CURL or wget?

Anyway, we shall see if anything comes of this.

Source: Security Week

Posted in: Exploits/Vulnerabilities, Linux Hacking, Networking Hacking


Latest Posts:


Sooty - SOC Analyst All-In-One CLI Tool Sooty – SOC Analyst All-In-One CLI Tool
Sooty is a tool developed with the task of aiding a SOC analyst to automate parts of their workflow and speed up their process.
UBoat - Proof Of Concept PoC HTTP Botnet Project UBoat – Proof Of Concept PoC HTTP Botnet Project
UBoat is a PoC HTTP Botnet designed to replicate a full weaponised commercial botnet like the famous large scale infectors Festi, Grum, Zeus and SpyEye.
LambdaGuard - AWS Lambda Serverless Security Scanner LambdaGuard – AWS Lambda Serverless Security Scanner
LambdaGuard is a tool which allows you to visualise and audit the security of your serverless assets, an open-source AWS Lambda Serverless Security Scanner.
exe2powershell - Convert EXE to BAT Files exe2powershell – Convert EXE to BAT Files
exe2powershell is used to convert EXE to BAT files, the previously well known tool for this was exe2bat, this is a version for modern Windows.
HiddenWall - Create Hidden Kernel Modules HiddenWall – Create Hidden Kernel Modules
HiddenWall is a Linux kernel module generator used to create hidden kernel modules to protect your server from attackers.
Anteater - CI/CD Security Gate Check Framework Anteater – CI/CD Security Gate Check Framework
Anteater is a CI/CD Security Gate Check Framework to prevent the unwanted merging of filenames, binaries, deprecated functions, staging variables and more.


One Response to Serious Linux/UNIX FTP Flaw Allows Command Execution

  1. Allen Minix November 6, 2014 at 11:25 pm #

    Further proof that absolutely nothing is totally secure!