This Metasploit module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function.
cb3ce61975554a3297a24930dd020c04ec845fcbd5d8eef10ec56929627059beGentoo Linux Security Advisory 201611-5 - tnftp is vulnerable to remote code execution if output file is not specified. Versions less than 20141104 are affected.
3714fd619d496c5232b4708937dc2490c0a41fd3dea634635ec841f8cfbdceaeFreeBSD Security Advisory - A malicious HTTP server could cause ftp(1) to execute arbitrary commands. When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified. If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine.
908b41945f4a776313f3f3dbb1964358ed272a66171fc28e7a94977708dbbae3
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed