cbcvebase.
CVE-2014-8517
published 2014-11-17

CVE-2014-8517: The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows…

PriorityP274high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
69.12%
99.3th percentile
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x
applemac_os_x
applemac_os_x
appleos_x_yosemite_v10.10.2_and_security_update_2015-001
debiantnftp< tnftp 20130505-2 (bookworm)tnftp 20130505-2 (bookworm)
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd
netbsdnetbsd

Detection & IOCsextracted from sources · hover to see the quote

command|<payload>
ua(tn|NetBSD-)ftp
  • Detect HTTP redirect responses where the final path component (after the last '/') begins with a '|' pipe character — this is the trigger for tnftp's popen() execution.
  • Monitor for HTTP 302/redirect responses sent to User-Agent strings matching '(tn|NetBSD-)ftp' where the Location header URI ends with a pipe-prefixed string (e.g., '%7C<command>').
  • The Metasploit module encodes the pipe-prefixed payload using hex-all URI encoding before appending it to the redirect URI — look for hex-encoded '%7C' at the end of redirect Location headers targeting ftp clients.
  • The exploit requires a two-stage HTTP interaction: first a redirect response, then content delivery on a secondary port. Monitor for ftp client processes spawning unexpected child processes via popen().
  • The exploit payload must not contain '/' characters (BadChars restriction). Detection rules for the pipe-prefixed filename in HTTP redirects should account for slash-free command strings.
  • ·Exploitation only occurs when tnftp/ftp(1) is invoked without the '-o' command-line option; if '-o' is specified, the server-controlled filename is not used.
  • ·The payload cannot contain '/' characters, which limits the range of exploitable commands to those not requiring path separators.
  • ·The Apple advisory for CVE-2014-8517 in DOC 6 appears to be mislabeled — it describes an NTP issue, not the tnftp pipe vulnerability. Do not rely on Apple's description for this CVE.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.