CVE-2014-8517
published 2014-11-17CVE-2014-8517: The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows…
PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.12%
99.3th percentile
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | mac_os_x | — | — |
| apple | os_x_yosemite_v10.10.2_and_security_update_2015-001 | — | — |
| debian | tnftp | < tnftp 20130505-2 (bookworm) | tnftp 20130505-2 (bookworm) |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP redirect responses where the final path component (after the last '/') begins with a '|' pipe character — this is the trigger for tnftp's popen() execution. ↗
- →Monitor for HTTP 302/redirect responses sent to User-Agent strings matching '(tn|NetBSD-)ftp' where the Location header URI ends with a pipe-prefixed string (e.g., '%7C<command>'). ↗
- →The Metasploit module encodes the pipe-prefixed payload using hex-all URI encoding before appending it to the redirect URI — look for hex-encoded '%7C' at the end of redirect Location headers targeting ftp clients. ↗
- →The exploit requires a two-stage HTTP interaction: first a redirect response, then content delivery on a secondary port. Monitor for ftp client processes spawning unexpected child processes via popen(). ↗
- →The exploit payload must not contain '/' characters (BadChars restriction). Detection rules for the pipe-prefixed filename in HTTP redirects should account for slash-free command strings. ↗
- ·Exploitation only occurs when tnftp/ftp(1) is invoked without the '-o' command-line option; if '-o' is specified, the server-controlled filename is not used. ↗
- ·The payload cannot contain '/' characters, which limits the range of exploitable commands to those not requiring path separators. ↗
- ·The Apple advisory for CVE-2014-8517 in DOC 6 appears to be mislabeled — it describes an NTP issue, not the tnftp pipe vulnerability. Do not rely on Apple's description for this CVE. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
BSD
FreeBSD-SA-14:26.ftp: Remote command execution in ftp(1)
bsd_advisories·2014-11-04·CVSS 7.5
CVE-2014-8517 [HIGH] FreeBSD-SA-14:26.ftp: Remote command execution in ftp(1)
FreeBSD-SA-14:26.ftp Security Advisory
The FreeBSD Project
Topic: Remote command execution in ftp(1)
Category: core
Module: ftp
Announced: 2014-11-04
Credits: Jared McNeill, Alistair Crooks
Affects: All supported versions of FreeBSD.
Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1)
2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3)
2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12)
2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE)
2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5)
2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15)
2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22)
2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE)
2014-11-04 23:32:15 UTC (releng/8.4,
Debian
CVE-2014-8517: tnftp - The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 th...
vendor_debian·2014·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517: tnftp - The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 th...
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
Scope: local
bookworm: resolved (fixed in 20130505-2)
bullseye: resolved (fixed in 20130505-2)
forky: resolved (fixed in 20130505-2)
sid: resolved (fixed in 20130505-2)
trixie: resolved (fixed in 20130505-2)
Apple
CVE-2014-8517: OS X Yosemite v10.10.2 and Security Update 2015-001
vendor_apple·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517: OS X Yosemite v10.10.2 and Security Update 2015-001
Apple Security Update: About the security content of OS X Yosemite v10.10.2 and Security Update 2015-001
Product: OS X Yosemite v10.10.2 and Security Update 2015-001
CVE: CVE-2014-8517
Component: CVE-2014-8517
Impact: Using the ntp daemon with cryptographic authentication enabled may lead to information leaks
Description: Multiple input validation issues existed in ntpd. These issues were addressed through improved data validation.
GHSA
GHSA-5gp4-x3wh-cxgj: The fetch_url function in usr
ghsa_unreviewed·2022-05-17
CVE-2014-8517 [HIGH] CWE-77 GHSA-5gp4-x3wh-cxgj: The fetch_url function in usr
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
OSV
CVE-2014-8517: The fetch_url function in usr
osv·2014-11-17·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517: The fetch_url function in usr
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
No detection rules found.
Exploit-DB
tnftp - 'savefile' Arbitrary Command Execution (Metasploit)
exploitdb·2017-11-03
CVE-2014-8517 tnftp - 'savefile' Arbitrary Command Execution (Metasploit)
tnftp - 'savefile' Arbitrary Command Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'tnftp "savefile" Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
tnftp's handling of the resolved output filename - called "savefile" in
the source - from a requested resource.
If tnftp is executed without the -o command-line option, it will resolve
the output filename from the last component of the requested resource.
If the output filename begins with a "|" character, tnftp will pass the
fetched resource's output to the command directly following the "|"
character through the use of the pop
Exploit-DB
tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side
exploitdb·2014-12-02·CVSS 7.5
CVE-2014-8517 [HIGH] tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side
tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side
---
#!/usr/bin/env python2
#
# Exploit Title: [tnftp BSD exploit]
# Date: [11/29/2014]
# Exploit Author: [dash]
# Vendor Homepage: [www.freebsd.org]
# Version: [FreeBSD 8/9/10]
# Tested on: [FreeBSD 9.3]
# CVE : [CVE-2014-8517]
# tnftp exploit (CVE-2014-8517)tested against freebsd 9.3
# https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc
#
# 29 Nov 2014 by [email protected]
#
# usage:
#
# redirect the vulnerable ftp client requests for http to your machine
#
# client will do something like:
# ftp http://ftp.freebsd.org/data.txt
#
# you will intercept the dns request and redirect victim to your fake webserver ip
#
# attacker: start on 192.168.2.1 Xnest: Xnest -ac :1
# probably do also xhost+victimip
#
# attacker: python CVE-2014-
Metasploit
tnftp "savefile" Arbitrary Command Execution
metasploit
tnftp "savefile" Arbitrary Command Execution
tnftp "savefile" Arbitrary Command Execution
This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.
Bugzilla
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [fedora-all]
bugzilla·2014-10-29·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [fedora-all]
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [epel-7]
bugzilla·2014-10-29·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [epel-7]
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-7 tracking bug for tnftp: see blocks
Bugzilla
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [epel-6]
bugzilla·2014-10-29·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [epel-6]
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
epel-6 tracking bug for tnftp: see blocks
Bugzilla
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands
bugzilla·2014-10-29·CVSS 7.5
CVE-2014-8517 [HIGH] CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands
CVE-2014-8517 tnftp: ftp client could be forced to execute arbitrary commands
It was reported that tnftp, an FTP client from NetBSD, could be forced to run arbitrary commands if an output file is not specified. Full details and a patch are available from the following:
http://seclists.org/oss-sec/2014/q4/459
Discussion:
Created tnftp tracking bugs for this issue:
Affects: fedora-all [bug 1158287]
Affects: epel-6 [bug 1158288]
Affects: epel-7 [bug 1158289]
---
tnftp-20141031-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
---
tnftp-20141031-1.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
---
tnftp-20141031-1.el6 has b
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.aschttp://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://lists.opensuse.org/opensuse-updates/2014-11/msg00029.htmlhttp://seclists.org/oss-sec/2014/q4/459http://seclists.org/oss-sec/2014/q4/464http://secunia.com/advisories/62028http://secunia.com/advisories/62260http://support.apple.com/HT204244https://security.gentoo.org/glsa/201611-05https://www.exploit-db.com/exploits/43112/http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.aschttp://lists.apple.com/archives/security-announce/2015/Jan/msg00003.htmlhttp://lists.opensuse.org/opensuse-updates/2014-11/msg00029.htmlhttp://seclists.org/oss-sec/2014/q4/459http://seclists.org/oss-sec/2014/q4/464http://secunia.com/advisories/62028http://secunia.com/advisories/62260http://support.apple.com/HT204244https://security.gentoo.org/glsa/201611-05https://www.exploit-db.com/exploits/43112/
2014-11-17
Published