nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Remote code execution flaws fixed in tnftp and wget

Linux bods thankful, Apple a stone-cold boilerplate

By Darren Pauli, 3 Nov 2014

The maintainer of the tnftp FTP client has patched a remote code execution vulnerability which affected operating systems including NetBSD, FreeBSD and Mac OS X.

The flaw (CVE-2014-8517), which did not affect OpenBSD due to modifications, was patched over the weekend.

Maintainer Luke Mewburn notified NetBSD (which ships tnftp) of the patch in a mailing list post after warning subscribers about the hole last week.

NetBSD security bod Alistair Crook forewarned FreeBSD and Dragonfly, and received a "boilerplate reply" from Apple after warning it about the impact to OS X 10.10 (Yosemite).

Crook explained that malicious servers could cause tnftp to run arbitrary commands when an output file was not specified.

"If you [issue] "ftp http://server/path/file.txt"; and don't specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands.

The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified).

After it resolves the output filename, it checks to see if the output filename begins with a "|", and if so, passes the rest to popen(3): http://nxr.netbsd.org/xref/src/usr.bin/ftp/fetch.c#1156"

It followed the fix for GNU Wget popular with Linux users which closed off a separate remote code execution hole (CVE-2014-4877) in versions prior to 1.16 which were present when operating in recursive mode with a FTP target, according to Rapid 7 chief research officer HD Moore. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing