![]() This does not affect hivecli user and hiveserver2 user as hplsql is a separate command linescript and needs to be invoked differently. This is because FTP client code in HPL/SQL does not verify the destinationlocation of the downloaded code. CVE-2018-1315: ‘COPY FROM FTP’ statement in HPL/SQL can write to arbitrary location if the FTP server is compromised:ĭescription: When ‘COPY FROM FTP’ statement is run using HPL/SQL extension toHive, a compromised/malicious FTP server can cause the file to bewritten to an arbitary location on the cluster where the command isrun from. List of affected Apache products disclosed to the foundation.Īpache informed us that they plan to release a fixed version by the end of February.ĭetails were also published in the CVE database on for the Apache Hive project. Vulnerability discovered by Snyk Security Research For example, a windows based FTP server response to a LIST command might look like: Technically, it stays agnostic to the file system, leaving it for both the client and the server to figure out for themselves. /././etc/passwd is not a valid filename, indeed it isn’t. The code above will end up placing the file into /var/data/sync/././././etc/passwd, practically overwriting /etc/passwd with the newly downloaded file. So for example, if the first file in the remote folder is named passwd, and our local destination folder is /var/data/sync/, we’d end up downloading the file to /var/data/sync/passwd.īut what if the FTP server turns malicious, and instead of responding to the LIST command with passwd, it responds with. The code above, iterates over each file returned by the server, and downloads it into a local destination folder. List all the files in the remote folder ( LIST or NLST FTP commands)įor each file in the list results above: Download the file and save it to a local folder ( GET or MGET FTP commands)Īn example of some Java code performing this behaviour, using the Apache commons-net library, might look like this:ġ private void downloadDirectory (FTPClient ftpClient, String remoteDir, String localDir) throws IOExceptionģ FTPFile subFiles = ftpClient.listFiles(remoteDir) Ĩ String remoteFile = ftpClient.printWorkingDirectory() + parator + aFile.getName() ĩ String localFile = localDir + parator + aFile.getName() ġ0 11 OutputStream downloadedStream = new BufferedOutputStream( new FileOutputStream( new File(localFile))) ġ2 boolean success = ftpClient.retrieveFile(remoteFile, downloadedStream) As most of us already know, the FTP protocol itself does not offer a download folder command, but we can combine several other commands to achieve our goal. OK, let’s get into the issue! We want to code a function that downloads the contents of a remote FTP folder to a local one. As you will see in the details below, this vulnerability results in a lack of validation, affecting not just FTP clients, but also many other applications and libraries in various ecosystems, such as Java, npm and others. This vulnerability can affect multiple applications and libraries, allowing a malicious FTP server to create or overwrite files anywhere on the local file system. In this blog post, I’ll show an interesting path traversal vulnerability we identified and responsibly disclosed to several affected vendors in November 2017. But did you know that the FTP clients themselves can also have vulnerabilities that can be exploited? FTP clients can be targeted by malicious servers that the clients connect to. Type the get, mget, put, and mput commands to send or receive the desired files.We often hear about vulnerabilities in HTTP clients, such as web browsers, that are typically exploited by malicious web content, there’s nothing new here.Unless it’s a plain-text file, continuously use binary mode. ![]() This is important because choosing the wrong type will likely cause the transfer to fail.Type the ascii or bin command to set your file transfer mode to ASCII or binary, respectively.Type the ls and cd commands to place yourself into the desired folder on the FTP server.Type lcd (where folder is a specific folder name) to change into the folder on your local drive that you want files to come to or from.On secure sites, however, you need to use a given username and password provided by the administrator of that specific server. Some sites even permit you to log in without any username or password at all. For many FTP servers, using the username anonymous and your e-mail address as the password is enough to get you logged in.At this point, you’re asked for a username and password.Type open (where ip address is the server’s network IP address) to open your connection to the FTP server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |