Serious Linux/UNIX FTP Flaw Allows Command Execution

Keep on Guard!


A lot of old bugs have been biting us on the butt lately, and here’s another to add to the list. This week it was discovered a fairly nasty FTP Flaw Allows Command Execution when using the old but still fairly widely used. tnftp client

It’s a fairly unlikely set of circumstances however, and it is a client flaw not a server flaw – so you’d need to connect to a malicious server using tnftp to fall foul of this flaw.

Linux/UNIX FTP Flaw Allows Command Execution

Basically if you request a file, but don’t use the -o flag to specify an output filename the client will follow HTTP redirects and if the output of the filename begins with a pipe it will pass the rest to popen.

A serious vulnerability has been discovered in a File Transfer Protocol (FTP) client used by many Unix-like (*NIX) operating systems, representatives of the NetBSD Project reported on Tuesday.

The tnftp FTP client is fairly old, but it’s still widely used. It can be found in Red Hat’s Fedora, Debian, NetBSD, FreeBSD, OpenBSD, and even Apple’s OS X operating systems.

Jared McNeill, a software developer at the NetBSD Project, has identified a vulnerability that can be exploited via a malicious Web server to cause tnftp to execute arbitrary commands. The CVE-2014-8517 identifier has been assigned to the flaw.

FTP Vulnerability”If you do ‘ftp http://server/path/file.txt’; and don’t specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands,” Alistair Crooks, security officer at the NetBSD Project, explained in an advisory published on the Full Disclosure mailing list. “The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified).”


The flaw was however fixed in OpenBSD FIVE YEARS ago, shame no one noticed and they didn’t make more noise about it. Although it was fixed from another perspective, not to remedy this exact flaw.

Patches are coming out for this pretty fast, and it even effects the latest Apple OS X version Yosemite (10.10) – although I don’t expect Apple to really do anything much about it.

After it resolves the output filename, it checks to see if the output filename begins with a “|”, and if so, passes the rest to popen(3),” Crooks added.

The list of operating system developers that appear to be aware of the flaw includes Debian, Red Hat, Gentoo, Novell (SuSE Linux), DragonFly, FreeBSD, and Apple. Debian, Red Hat, Gnetoo and Novell have each published advisories for the bug.

The tnftp vulnerability affects OS X Yosemite 10.10, the latest version of the Mac operating system. Apple has been notified, but Crooks says he received only a “boilerplate reply” from the company.

Interestingly, the issue was fixed in OpenBSD five years ago.

“I changed OpenBSD’s ftp(1) a while ago to just use the ‘filename’ part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) – it’s a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile),” Stuart Henderson of OpenBSD wrote in response to Crooks’ post.

Look out for patches for your OS, or install another ftp client (that may or may not be more secure) at your own risk. I can’t see a whole lot of damage being caused via this, as it’s a client side rather than server side issue – but some people might try and have some fun with it.

But honestly, how often are *nix users accessing web resources using a FTP client rather than CURL or wget?

Anyway, we shall see if anything comes of this.

Source: Security Week


Posted in: Exploits/Vulnerabilities, Linux Hacking, Networking Hacking

Latest Posts:


BSQLinjector - Blind SQL Injection Tool Download BSQLinjector – Blind SQL Injection Tool Download in Ruby
BSQLinjector is an easy to use Blind SQL Injection tool in Ruby, that uses blind methods to retrieve data from SQL databases.
CCleaner Hack - Spreading Malware To Specific Tech Companies CCleaner Hack – Spreading Malware To Specific Tech Companies
The CCleaner Hack is blowing up, initially estimated to be huge, it's hit at least 700k computers & is specifically targeting 20 top tech organisations.
AWSBucketDump - AWS S3 Security Scanning Tool AWSBucketDump – AWS S3 Security Scanning Tool
AWSBucketDump is an AWS S3 Security Scanning Tool, which allows you to quickly enumerate AWS S3 buckets to look for interesting or confidential files.
nbtscan Download - NetBIOS Scanner For Windows & Linux nbtscan Download – NetBIOS Scanner For Windows & Linux
nbtscan is a command-line NetBIOS scanner for Windows that is SUPER fast, it scans for open NetBIOS nameservers on a local or remote TCP/IP network.
Equifax Data Breach - Hack Due To Missed Apache Patch Equifax Data Breach – Hack Due To Missed Apache Patch
The Equifax data breach is pretty huge with 143 million records leaked from the hack in the US alone with unknown more in Canada and the UK.
Seth - RDP Man In The Middle Attack Tool Seth – RDP Man In The Middle Attack Tool
Seth is an RDP Man In The Middle attack tool written in Python to MiTM RDP connections by attempting to downgrade the connection to extract clear text creds


One Response to Serious Linux/UNIX FTP Flaw Allows Command Execution

  1. Allen Minix November 6, 2014 at 11:25 pm #

    Further proof that absolutely nothing is totally secure!