SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (File Transfer/Sharing)  >   FTP (NetBSD) Vendors:   NetBSD
NetBSD ftpd Request Processing Bug Permits Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1021112
SecurityTracker URL:  http://securitytracker.com/id/1021112
CVE Reference:   CVE-2008-4247   (Links to External Site)
Date:  Oct 28 2008
Impact:   Execution of arbitrary code via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in NetBSD ftpd. A remote user can conduct cross-site request forgery attacks.

Long 'ftp://' URLs may be split by the FTP server into multiple requests. A remote user can create a specially crafted 'ftp://' URL that, when loaded by the authenticated target user, will cause arbitrary commands to be executed on the target FTP server with the privileges of the target user.

Maksymilian Arciemowicz of securityreason.com reported this vulnerability.

Impact:   A remote user can cause arbitrary commands to be executed by the authenticated target user on the target NetBSD ftpd site.
Solution:   The vendor has issued a source code fix.

The vendor's advisory is available at:

http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc

Vendor URL:  ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc (Links to External Site)
Cause:   Input validation error
Underlying OS:   UNIX (NetBSD)

Message History:   None.


 Source Message Contents

Date:  Mon, 27 Oct 2008 22:46:19 +0000
Subject:  NetBSD Security Advisory 2008-014: Cross-site request forgery in


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


		 NetBSD Security Advisory 2008-014
		 =================================

Topic:		Cross-site request forgery in ftpd(8)

Version:	NetBSD-current:		affected
		NetBSD 4.0.*:		not affected
		NetBSD 4.0:		affected
		NetBSD 3.1.*:		affected
		NetBSD 3.1:		affected
		NetBSD 3.0.*:		affected
		NetBSD 3.0:		affected

Severity:	Cross-site request forgery

Fixed:		NetBSD-current:		September 13, 2008
		NetBSD-4-0 branch:	September 18, 2008
			(4.0.1 includes the fix)
		NetBSD-4 branch:	September 18, 2008
			(4.1 will include the fix)
		NetBSD-3-1 branch:	September 18, 2008
			(3.1.2 will include the fix)
		NetBSD-3-0 branch:	September 18, 2008
			(3.0.4 will include the fix)
		NetBSD-3 branch:	September 18, 2008
			(3.2 will include the fix)
		pkgsrc:			tnftpd-20081009 corrects the issue


Abstract
========

When accessing NetBSD servers running ftpd(8) certain commands can aide 
attackers in executing CSRF attacks when e.g. using a web browser to 
access ftp servers.

This vulnerability has been assigned CVE-2008-4247.


Technical Details
=================

When accessing NetBSD servers running ftpd(8) long commands are split
into multiple requests which can result in CSRF attacks.


Solutions and Workarounds
=========================

Only NetBSD systems with ftpd(8) enabled may be vulnerable to this issue.  
ftpd(8) is not enabled by default in NetBSD generic installations.
As a temporary workaround disable ftpd(8) from the base OS and use the
tnftpd-20081009 package from pkgsrc which contains a fix.

The following instructions describe how to upgrade your ftpd
binaries by updating your source tree and rebuilding and installing
a new version of ftpd.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2008-09-13
	should be upgraded to NetBSD-current dated 2008-09-14 or later.

	The following files/directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 4.*:

	Systems running NetBSD 4.* sources dated from before
	2008-09-18 should be upgraded from NetBSD 4.* sources dated
	2008-09-19 or later.

	The following files/directories need to be updated from the
	netbsd-4 or netbsd-4-0 branches:
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 3.*:

	Systems running NetBSD 3.* sources dated from before
	2008-09-18 should be upgraded from NetBSD 3.* sources dated
	2008-09-19 or later.

	The following files/directories need to be updated from the
	netbsd-3, netbsd-3-0 or netbsd-3-1 branches:
		libexec/ftpd

	To update from CVS, re-build, and re-install ipsec-tools:

		# cd src
		# cvs update -r <branch_name> -d -P libexec/ftpd
		# cd libexec/ftpd
		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


Thanks To
=========
Maksymilian Arciemowicz is credited with the discovery of this issue.
Luke Mewburn for supplying the fixes and testing.


Revision History
================

	2008-10-27	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
  ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2008-014.txt.asc

Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/.


Copyright 2008, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2008-014.txt,v 1.4 2008/10/27 19:47:39 adrianp Exp $

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (NetBSD)

iQCVAwUBSQYcLz5Ru2/4N2IFAQL2bwP+OH9WZ4nyrTK51+t/Xh1zgMi6dS6xu0hx
Cz8EtOKgOp062a0r87ZXk3fKBzKewsc4LHPXwsmL5wRJ6UqoosvZUFEOVXsnxR1I
7i212TLph2WKQ09aeu87Z5u6ABCoIvTqxPUfX8G+v4zg71dlkwr/2hpk6KSl5apc
qw1m1Cy1X7g=
=Motz
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC