A serious vulnerability has been discovered in a File Transfer Protocol (FTP) client used by many Unix-like (*NIX) operating systems, representatives of the NetBSD Project reported on Tuesday.
The tnftp FTP client is fairly old, but it’s still widely used. It can be found in Red Hat’s Fedora, Debian, NetBSD, FreeBSD, OpenBSD, and even Apple’s OS X operating systems.
Jared McNeill, a software developer at the NetBSD Project, has identified a vulnerability that can be exploited via a malicious Web server to cause tnftp to execute arbitrary commands. The CVE-2014-8517 identifier has been assigned to the flaw.
“If you do ‘ftp http://server/path/file.txt’; and don’t specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands,” Alistair Crooks, security officer at the NetBSD Project, explained in an advisory published on the Full Disclosure mailing list. “The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified).”
“After it resolves the output filename, it checks to see if the output filename begins with a “|”, and if so, passes the rest to popen(3),” Crooks added.
The list of operating system developers that appear to be aware of the flaw includes Debian, Red Hat, Gentoo, Novell (SuSE Linux), DragonFly, FreeBSD, OpenBSD, and Apple. Debian, Red Hat, Gnetoo and Novell have each published advisories for the bug.
The tnftp vulnerability affects OS X Yosemite 10.10, the latest version of the Mac operating system. Apple has been notified, but Crooks says he received only a “boilerplate reply” from the company.
Interestingly, the issue was fixed in OpenBSD five years ago.
“I changed OpenBSD’s ftp(1) a while ago to just use the ‘filename’ part of the original request, rather than taking a name from the redirection target (this also matches what curl -O does) – it’s a bit less convenient in some cases, but it felt like a bad idea to allow the output filename to be under control of the remote host (though I was more thinking of the situation where someone might run it from their home directory and write to something like .profile),” Stuart Henderson of OpenBSD wrote in response to Crooks’ post.