From djb@cr.yp.to Wed Dec 15 14:21:40 2004
Date: 15 Dec 2004 08:21:28 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, thepin@users.sourceforge.net
Subject: [remote] [control] junkie 0.3.1 gui_popup_view_fly does not check
    for nasty characters; ftp_retr does not check for directory escapes

Yosef Klein, a student in my Fall 2004 UNIX Security Holes course, has
discovered two remotely exploitable security holes in junkie, an FTP
client, version 0.3.1 (current). I'm publishing this notice, but all the
discovery credits should be assigned to Klein.

You are at risk if you use junkie to ``View'' or ``Download'' a batch of
files from an FTP server. Anyone who provides an FTP response to junkie
(not necessarily the legitimate server administrator; an attacker can
modify FTP responses passing through the network) then has complete
control over your account: he can read and modify your files, watch the
programs you're running, etc.

The first bug is triggered by the server sending a file name such as
hello;:>x. The gui_popup_view_fly() function in gui_tview_popup.c

   * takes the user's txtviewer, which is "xterm -e vim %f" by default;
   * changes the %f to the file name /tmp/hello;:>x, producing the
     string "xterm -e vim /tmp/hello;:>x"; and
   * arranges for that string to be run as a command, with the
     unauthorized result of creating a file named x.

The second bug is triggered by the server sending a file name such as
../.cshrc. The ftp_retr() function in ftp_cmd.c blindly uses the
server's file name (ent->file) as a local file name (localfile); users
normally expect file-transfer programs to check for escapes from the
current directory. Klein comments that the FTP response can append to
existing files ``due to a bug where junkie fails to account for the fact
that it may receive a "502 not implemented" response to a "REST"
request.''

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago