Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 173524

Summary: net-ftp/lftp <3.5.9 user assisted code execution (CVE-2007-2348)
Product: Gentoo Security Reporter: Daniel Black (RETIRED) <dragonheart>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://lftp.yar.ru/
Whiteboard: B2? [noglsa] jaervosz
Package list:
Runtime testing required: ---

Description Daniel Black (RETIRED) gentoo-dev 2007-04-06 01:55:11 UTC 
--- /var/tmp/portage/net-ftp/lftp-3.5.7/work/lftp-3.5.7/NEWS    2006-12-08 23:02:47.000000000 +1100
+++ /var/tmp/portage/net-ftp/lftp-3.5.9/work/lftp-3.5.9/NEWS    2007-01-09 17:04:06.000000000 +1100
@@ -1,3 +1,12 @@
+Version 3.5.9 - 2007-01-09
+
+* fixed `mirror --script' which generated improperly quoted shell commands
+(potential security vulnerability, when someone executes the resulting script).
+
nothing found in email list.

Impact: A user could be provided a lftp script by a malicious person that could execute arbitary shell script.

vulnerability is very a bit unlikely to exploit imho.

net-ftp/lftp-3.5.9 and 3.5.10 in the tree
lftp-3.5.10 fixes a few core dumps and has some library linking foo added. Recommend stabilizing this version.

I checked the code and the vulnerability existed in latest stable version (3.4.6).

Test plan for 3.5.10 - its a ftp client  - treat it like one.
lftp is a basic ftp client. To test try the following:
$ lftp ftp://lftp.yar.ru/lftp/old
cd ok, cwd=/lftp/old
lftp lftp.yar.ru:/lftp/old> ls
...
lftp lftp.yar.ru:/lftp/old> get lftp-3.4.5.tar.bz2.asc
...
lftp lftp.yar.ru:/lftp/old> mget lftp-*.md5sum
...
lftp lftp.yar.ru:/lftp/old> bye
$
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-11 11:00:05 UTC 
Thx Daniel.

Arches please test and mark stable.
Comment 2 Raúl Porcel (RETIRED) gentoo-dev 2007-04-11 12:27:34 UTC 
ia64 + x86 stable
Comment 3 Peter Weller (RETIRED) gentoo-dev 2007-04-11 13:12:32 UTC 
3.5.10 stable on amd64
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2007-04-11 13:28:41 UTC 
Stable for HPPA.
Comment 5 Gustavo Zacarias (RETIRED) gentoo-dev 2007-04-11 14:10:19 UTC 
sparc stable.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-04-11 14:23:13 UTC 
ppc64 stable
Comment 7 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2007-04-11 16:38:14 UTC 
alpha stable.

+extra points to Daniel for providing instructions to test! you r0lz.
Comment 8 Tobias Scherbaum (RETIRED) gentoo-dev 2007-04-11 22:39:13 UTC 
ppc stable
Comment 9 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-27 20:29:24 UTC 
i'm late but i really don't consider this as a security issue when i'm reading the manpage. "Mirror --script" is not actually dangerous. Running "mirror --script" then run the generated script without reading it is stupid.

BTW it'll be CVE-2007-2348
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-04-30 08:32:22 UTC 
@falco: one thing is a script that executes FTP commands another is when it can execute arbitrary commands. Just because the script file is plaintext doesn't mean everybody will check it before running it.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-02 11:36:11 UTC 
Since there has been some discussion about wether this is a feature or a security issue, I'm calling a GLSA vote.
Comment 12 Daniel Black (RETIRED) gentoo-dev 2007-05-02 12:37:30 UTC 
script seems only intended to run ftp commands. going further to arbitrary shell commands seems to be an unintentional priv escalation. Depending on the command given this could allow a remote shell in where there wasn't before. so i'm saying go glsa=yes.
Comment 13 Matt Drew (RETIRED) gentoo-dev 2007-05-02 12:56:08 UTC 
This is either a non-issue or it hasn't been fixed, since you can already drop
to a shell from the lftp script (append a line starting with ! and then your
shell commands, confirmed on 3.5.10).  There's essentially no difference
between running an untrusted lftp script and running an untrusted bash script.

Even without the shell commands, it would be pretty trivial for an untrusted
lftp script to do things like overwrite local files (cron, .bash_profile, etc)
to gain code execution as the user.  There's not really any way around this
that I see.
Comment 14 Matt Drew (RETIRED) gentoo-dev 2007-05-03 11:29:50 UTC 
I vote no, by the way. :)
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-05-03 18:47:51 UTC 
/vote NO.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-05-03 18:55:13 UTC 
Two NO votes -> closing with NO GLSA. Feel free to reopen if you disagree.