The maintainer of the tnftp FTP client has patched a remote code execution vulnerability which affected operating systems including NetBSD, FreeBSD and Mac OS X.
The flaw (CVE-2014-8517), which did not affect OpenBSD due to modifications, was patched over the weekend.
NetBSD security bod Alistair Crook forewarned FreeBSD and Dragonfly, and received a “boilerplate reply” from Apple after warning it about the impact to OS X 10.10 (Yosemite).
Crook explained that malicious servers could cause tnftp to run arbitrary commands when an output file was not specified.
“If you [issue] “ftp http://server/path/file.txt”; and don’t specify an output filename with -o, the ftp program can be tricked into executing arbitrary commands. The FTP client will follow HTTP redirects, and uses the part of the path after the last / from the last resource it accesses as the output filename (as long as -o is not specified). After it resolves the output filename, it checks to see if the output filename begins with a “|”, and if so, passes the rest to popen(3): http://nxr.netbsd.org/xref/src/usr.bin/ftp/fetch.c#1156″
It followed the fix for GNU Wget popular with Linux users which closed off a separate remote code execution hole (CVE-2014-4877) in versions prior to 1.16 which were present when operating in recursive mode with a FTP target, according to Rapid 7 chief research officer HD Moore. ®