CVE-2017-17405 in macOS
Summary
by MITRE
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/30/2025
The vulnerability identified as CVE-2017-17405 represents a critical command injection flaw in Ruby's Net::FTP implementation affecting versions prior to 2.4.3. This vulnerability resides in the file handling mechanisms of the Net::FTP class which is part of Ruby's standard library and commonly used for file transfer operations over FTP protocols. The flaw occurs when the library processes local file operations through Kernel#open, which is designed to handle various file access methods including shell command execution when specific characters are present in the file path.
The technical implementation of this vulnerability stems from the improper handling of local file arguments within several Net::FTP methods including get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile. When a local file argument begins with the pipe character "|", Ruby's Kernel#open function interprets this as a command execution directive rather than a file path. This behavior is consistent with Unix/Linux shell semantics where the pipe character signals that the following command should be executed and its output redirected to the target file. The vulnerability is particularly dangerous because it can be triggered through the default behavior of the library, where local file names are automatically derived from remote file names using File.basename(remotefile).
The operational impact of this vulnerability is severe and can lead to complete system compromise when exploited. An attacker controlling a malicious FTP server can craft remote file names that, when processed by vulnerable Ruby applications, result in arbitrary command execution on the victim system. This allows attackers to execute malicious code with the privileges of the Ruby process, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network. The vulnerability affects any Ruby application that uses Net::FTP for file transfers, particularly web applications, automated backup systems, and any software that processes FTP file operations without proper input validation.
This vulnerability maps directly to CWE-78, which describes improper neutralization of special elements used in OS commands, and CWE-94, which covers improper control of generation of code. The attack pattern aligns with ATT&CK technique T1059.001, which involves executing commands through a command and scripting interpreter. The vulnerability also relates to T1071.004, which covers application layer protocol traffic, specifically FTP protocol manipulation. The attack vector requires minimal privileges on the attacker's part since they only need to control an FTP server to deliver malicious file names that will be processed by vulnerable Ruby applications. Organizations using Ruby applications that interact with FTP servers are particularly at risk, especially those that do not validate or sanitize file names received from external sources, making this vulnerability highly exploitable in real-world scenarios.
The recommended mitigations include immediate upgrading to Ruby 2.4.3 or later versions where this vulnerability has been patched. Organizations should also implement proper input validation and sanitization for all file names received from external sources, particularly when these names are used in file operations. Network segmentation and firewall rules should be implemented to restrict FTP access to trusted sources only. Additionally, applications should be configured to use explicit file paths rather than relying on default behaviors that automatically derive local file names from remote sources. Regular security audits and penetration testing should be conducted to identify other potential command injection vulnerabilities in Ruby applications and related components.