From djb@cr.yp.to Wed Dec 15 14:21:40 2004 Date: 15 Dec 2004 08:21:28 -0000 From: D. J. Bernstein To: securesoftware@list.cr.yp.to, thepin@users.sourceforge.net Subject: [remote] [control] junkie 0.3.1 gui_popup_view_fly does not check for nasty characters; ftp_retr does not check for directory escapes Yosef Klein, a student in my Fall 2004 UNIX Security Holes course, has discovered two remotely exploitable security holes in junkie, an FTP client, version 0.3.1 (current). I'm publishing this notice, but all the discovery credits should be assigned to Klein. You are at risk if you use junkie to ``View'' or ``Download'' a batch of files from an FTP server. Anyone who provides an FTP response to junkie (not necessarily the legitimate server administrator; an attacker can modify FTP responses passing through the network) then has complete control over your account: he can read and modify your files, watch the programs you're running, etc. The first bug is triggered by the server sending a file name such as hello;:>x. The gui_popup_view_fly() function in gui_tview_popup.c * takes the user's txtviewer, which is "xterm -e vim %f" by default; * changes the %f to the file name /tmp/hello;:>x, producing the string "xterm -e vim /tmp/hello;:>x"; and * arranges for that string to be run as a command, with the unauthorized result of creating a file named x. The second bug is triggered by the server sending a file name such as ../.cshrc. The ftp_retr() function in ftp_cmd.c blindly uses the server's file name (ent->file) as a local file name (localfile); users normally expect file-transfer programs to check for escapes from the current directory. Klein comments that the FTP response can append to existing files ``due to a bug where junkie fails to account for the fact that it may receive a "502 not implemented" response to a "REST" request.'' ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago