RCE security vulnerability affecting NetBSD, FreeBSD and Mac OS X now fixed
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
November 3, 2014
The people responsible of maintaining the TN FTP client have patched a remote code execution security vulnerability which affected operating systems including NetBSD, FreeBSD and Mac OS X.
The security flaw (known as CVE-2014-8517), which did not affect OpenBSD due to previous modifications, was patched over the weekend, we are told.
One of the maintainers, Luke Mewburn, notified NetBSD which ships tnftp of the security patch in a mailing list post after warning subscribers about the flaw last week.
NetBSD security chap Alistair Crook then forewarned FreeBSD and Dragonfly, and received a boilerplate reply from Apple after warning it about the impact to OS X 10.10 (dubbed Yosemite).
Crook then explained that malicious servers could cause tnftp to run arbitrary commands when an output file was not specified.
"If you issue ftp http://server/path/file.txt and don't specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands.
The FTP client will then follow some HTTP redirects and then uses the part of the path after the last / from the resource it accessed the last time as the output filename (as long as -o is not specified).
After it resolves the output filename, it then checks to see if the output filename begins with a "|" and if so, passes the rest to popen http://nxr.netbsd.org/xref/src/usr.bin/ftp/fetch.c#1156".
It then followed the fix for GNU Wget popular with Linux users which closed off a separate remote code execution hole (CVE-2014-4877) in versions prior to 1.16 which were present when operating in recursive mode with a FTP target.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!