Subject: bin/8520: Evil (serious security issue) FTP behaviour in classic format mode.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <johnr@imageworks.com>
List: netbsd-bugs
Date: 09/30/1999 02:06:24
>Number: 8520
>Category: bin
>Synopsis: Evil (serious security issue) FTP behaviour in classic format mode.
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Sep 30 02:05:01 1999
>Last-Modified:
>Originator: John Refling
>Organization:
>Release: 1.4 & 1.4.1
>Environment:
sparc
>Description:
Evil (serious security issue) FTP behaviour in classic format mode.
[Note: I'm testing using ftp 1.4 since 1.4.1 won't work with file
globbing in URL mode, per previous bug report]
When using file dir and file globbing, LOCAL directories are expanded
relative to root! You can wipe out very important files by accident!
I would expect that transfers be made relative to the current directory.
This occurs in classic FTP format, shown immediately below. See
further on for a (correct?) example of the URL format implementation.
BAD
~~~
ftp14 ftp.netbsd.org:/pub/NetBSD/NetBSD-1.4.1/sparc/binary/\*/M\*
Connected to ftp.netbsd.org.
220- THE NetBSD ARCHIVE
220-
220- GIVEN THE NATURE OF THE SOFTWARE MADE AVAILABLE UNDER THIS PROGRAM
220- IT IS HEREBY NOTED THAT ALL SOFTWARE, WITH THE EXCEPTION OF THOSE
220- WHICH CONTAIN ITAR CONTROLLED CONTENT, ARE BEING MADE AVAILABLE FOR
220- GENERAL ACCESS UNDER GENERAL TECHNICAL DATA AVAILABLE (GTDA) AS
220- PROVIDED FOR UNDER THE U.S. EXPORT REGULATIONS
220-
220- BECAUSE THE SIZE OF THE ARCHIVE AND THE QUANTITY OF PEOPLE WHO USE
220- IT, THE OPERATORS OF THIS SITE ADVISE ALL USERS THAT IT IS THE
220- LEGAL OBLIGATION OF THE INDIVIDUAL WHO ACCESSES THIS ARCHIVE TO
220- COMPLY WITH THE U.S. STATE DEPARTMENT REGULATIONS WHICH GOVERN THE
220- TRANSFER OF CERTAIN SOFTWARE PRODUCTS WHICH ARE DESIGNED TO MEET
220- MILITARY SPECIFICATIONS (LIKE AERIAL MAPPING) AND/OR USED IN
220- MILITARY APPLICATIONS (PRODUCTS WHICH CONTAIN THE DES ALGORITHM
220- FOR FILE/DATA ENCRYPTION).
220-
220 nbftp.isc.org FTP server (Version: 7.1.0) ready.
331 Guest login ok, type your name as password.
230-
230- Welcome to FTP.NetBSD.ORG
230- Located in Palo Alto, CA, USA , ,
230- /( )`
230- Home of \ \___ / |
230- 100Mb Connectivity Courtesy of the FREE /- _ `-/ '
230- Internet Software Consortium MULTIPLATFORM (/\/ \ \ /\
230- NetBSD 1.4.1 OS / / | ` \
230- \ O O ) / |
230- +--- Currently Supported Platforms ----+ \ `-^--'`< '
230- | DEC ALPHA, (STRONG)ARM32, ATARI, | \ (_.) _ ) /
230- |BEBOX, COMMODORE AMIGA & MACROSYSTEMS | `.___/` /
230- | DRACO, HP 300, INTEL x86, APPLE | `-----' /
230- | MACINTOSH(68k & PPC, iMAC, G3), | <----. __ / __ \
230- | MOTOROLA MVME68k, NEWS (68k & MIPS), | <----|====O)))==) \) /====
230- | NeXT, PC532, PMAX, POWERPC, SUN | <----' `--' `.__,' \
230- | SPARC(64), SUN 3/3X, DEC VAX, X68k | | |
230- +--------------------------------------+ \ /
230- MORE ARE UNDER DEVELOPMENT ______( (_ / \_____
230- (FL) ,' ,-----' | \
230- ALL FTP TRANSFERS AND COMMANDS ARE LOGGED. `--{__________) \/
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
local: /pub/NetBSD/NetBSD-1.4.1/sparc/binary/kernel/MD5 remote: /pub/NetBSD/Net
BSD-1.4.1/sparc/binary/kernel/MD5
227 Entering Passive Mode (204,152,184,75,242,84)
150 Opening BINARY mode data connection for '/pub/NetBSD/NetBSD-1.4.1/sparc/bin
ary/kernel/MD5' (124 bytes).
0% | | 0 0.00 KB/s --:-
- ETA100% |******************************************| 124 33.72 KB/s
00:00 ETA
226 Transfer complete.
124 bytes received in 00:00 (2.05 KB/s)
local: /pub/NetBSD/NetBSD-1.4.1/sparc/binary/security/MD5 remote: /pub/NetBSD/N
etBSD-1.4.1/sparc/binary/security/MD5
227 Entering Passive Mode (204,152,184,75,242,83)
150 Opening BINARY mode data connection for '/pub/NetBSD/NetBSD-1.4.1/sparc/bin
ary/security/MD5' (50 bytes).
0% | | 0 0.00 KB/s --:-
- ETA100% |******************************************| 50 21.78 KB/s
00:00 ETA
226 Transfer complete.
50 bytes received in 00:00 (0.38 KB/s)
local: /pub/NetBSD/NetBSD-1.4.1/sparc/binary/sets/MD5 remote: /pub/NetBSD/NetBS
D-1.4.1/sparc/binary/sets/MD5
227 Entering Passive Mode (204,152,184,75,242,82)
150 Opening BINARY mode data connection for '/pub/NetBSD/NetBSD-1.4.1/sparc/bin
ary/sets/MD5' (659 bytes).
0% | | 0 0.00 KB/s --:-
- ETA100% |******************************************| 659 9.66 KB/s
00:00 ETA
226 Transfer complete.
659 bytes received in 00:00 (0.66 KB/s)
221 Goodbye.
^
!
!
BAD (copies relative my root dir), see the "local: /pub/..." above ----
GOOD ----
|
V
ftp14 ftp://ftp.netbsd.org/pub/NetBSD/NetBSD-1.4.1/sparc/binary/\*/M\*
Connected to ftp.netbsd.org.
220- THE NetBSD ARCHIVE
220-
220- GIVEN THE NATURE OF THE SOFTWARE MADE AVAILABLE UNDER THIS PROGRAM
220- IT IS HEREBY NOTED THAT ALL SOFTWARE, WITH THE EXCEPTION OF THOSE
220- WHICH CONTAIN ITAR CONTROLLED CONTENT, ARE BEING MADE AVAILABLE FOR
220- GENERAL ACCESS UNDER GENERAL TECHNICAL DATA AVAILABLE (GTDA) AS
220- PROVIDED FOR UNDER THE U.S. EXPORT REGULATIONS
220-
220- BECAUSE THE SIZE OF THE ARCHIVE AND THE QUANTITY OF PEOPLE WHO USE
220- IT, THE OPERATORS OF THIS SITE ADVISE ALL USERS THAT IT IS THE
220- LEGAL OBLIGATION OF THE INDIVIDUAL WHO ACCESSES THIS ARCHIVE TO
220- COMPLY WITH THE U.S. STATE DEPARTMENT REGULATIONS WHICH GOVERN THE
220- TRANSFER OF CERTAIN SOFTWARE PRODUCTS WHICH ARE DESIGNED TO MEET
220- MILITARY SPECIFICATIONS (LIKE AERIAL MAPPING) AND/OR USED IN
220- MILITARY APPLICATIONS (PRODUCTS WHICH CONTAIN THE DES ALGORITHM
220- FOR FILE/DATA ENCRYPTION).
220-
220 nbftp.isc.org FTP server (Version: 7.1.0) ready.
331 Guest login ok, type your name as password.
230-
230- Welcome to FTP.NetBSD.ORG
230- Located in Palo Alto, CA, USA , ,
230- /( )`
230- Home of \ \___ / |
230- 100Mb Connectivity Courtesy of the FREE /- _ `-/ '
230- Internet Software Consortium MULTIPLATFORM (/\/ \ \ /\
230- NetBSD 1.4.1 OS / / | ` \
230- \ O O ) / |
230- +--- Currently Supported Platforms ----+ \ `-^--'`< '
230- | DEC ALPHA, (STRONG)ARM32, ATARI, | \ (_.) _ ) /
230- |BEBOX, COMMODORE AMIGA & MACROSYSTEMS | `.___/` /
230- | DRACO, HP 300, INTEL x86, APPLE | `-----' /
230- | MACINTOSH(68k & PPC, iMAC, G3), | <----. __ / __ \
230- | MOTOROLA MVME68k, NEWS (68k & MIPS), | <----|====O)))==) \) /====
230- | NeXT, PC532, PMAX, POWERPC, SUN | <----' `--' `.__,' \
230- | SPARC(64), SUN 3/3X, DEC VAX, X68k | | |
230- +--------------------------------------+ \ /
230- MORE ARE UNDER DEVELOPMENT ______( (_ / \_____
230- (FL) ,' ,-----' | \
230- ALL FTP TRANSFERS AND COMMANDS ARE LOGGED. `--{__________) \/
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
200 Type set to I.
local: pub/NetBSD/NetBSD-1.4.1/sparc/binary/kernel/MD5 remote: pub/NetBSD/NetBS
D-1.4.1/sparc/binary/kernel/MD5
227 Entering Passive Mode (204,152,184,75,242,80)
150 Opening BINARY mode data connection for 'pub/NetBSD/NetBSD-1.4.1/sparc/bina
ry/kernel/MD5' (124 bytes).
0% | | 0 0.00 KB/s --:-
- ETA100% |******************************************| 124 34.49 KB/s
00:00 ETA
226 Transfer complete.
124 bytes received in 00:00 (5.29 KB/s)
local: pub/NetBSD/NetBSD-1.4.1/sparc/binary/security/MD5 remote: pub/NetBSD/Net
BSD-1.4.1/sparc/binary/security/MD5
227 Entering Passive Mode (204,152,184,75,242,78)
150 Opening BINARY mode data connection for 'pub/NetBSD/NetBSD-1.4.1/sparc/bina
ry/security/MD5' (50 bytes).
0% | | 0 0.00 KB/s --:-
- ETA100% |******************************************| 50 21.17 KB/s
00:00 ETA
226 Transfer complete.
50 bytes received in 00:00 (0.37 KB/s)
local: pub/NetBSD/NetBSD-1.4.1/sparc/binary/sets/MD5 remote: pub/NetBSD/NetBSD-
1.4.1/sparc/binary/sets/MD5
227 Entering Passive Mode (204,152,184,75,242,77)
150 Opening BINARY mode data connection for 'pub/NetBSD/NetBSD-1.4.1/sparc/bina
ry/sets/MD5' (659 bytes).
0% | | 0 0.00 KB/s --:-
- ETA100% |******************************************| 659 135.65 KB/s
00:00 ETA
226 Transfer complete.
659 bytes received in 00:00 (10.04 KB/s)
221 Goodbye.
Note: you can also get the desired effect by:
ftp14 ftp.netbsd.org:pub/NetBSD/NetBSD-1.4.1/sparc/binary/\*/M\*
This works, though is contrary syntax from the man page (implies that you
must have a :/). The man page should be fixed if this is a feature.
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted: