CVE-2014-8517

macOS X - Remote Command Execution via HTTP Redirect Pipe Character

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2014-8517. PoCs published by Metasploit, dash, Jared McNeill, wvu, including Metasploit module exploits/unix/http/tnftp_savefile.

AI-analyzed exploit summary This Metasploit module exploits CVE-2014-8517 in tnftp by leveraging the arbitrary command execution vulnerability when the output filename begins with a '|' character, allowing command injection via the popen() function.

Description

The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.

Exploits (3)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/43112

This Metasploit module exploits CVE-2014-8517 in tnftp by leveraging the arbitrary command execution vulnerability when the output filename begins with a '|' character, allowing command injection via the popen() function.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: tnftp (NetBSD ftp client)
No auth needed
Prerequisites: Target must use tnftp without the -o option · Attacker must host a malicious HTTP server
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by dash · pythonremotebsd
https://www.exploit-db.com/exploits/35427

This exploit leverages CVE-2014-8517 in tnftp (FreeBSD FTP client) by intercepting HTTP requests and injecting a malicious redirect to execute an xterm command via pipe injection. It requires DNS spoofing to redirect the victim to a fake webserver.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: tnftp (FreeBSD 8/9/10)
No auth needed
Prerequisites: DNS spoofing capability · Victim must use tnftp to fetch an HTTP resource · Attacker must host a fake webserver on port 80 and a secondary server on a custom port · Xnest must be running on the attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Jared McNeill, wvu · rubypocunix
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/tnftp_savefile.rb

This Metasploit module exploits CVE-2014-8517 in tnftp by crafting a malicious URI that triggers command execution via the 'savefile' feature when the output filename starts with a '|' character.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: tnftp (NetBSD ftp client)
No auth needed
Prerequisites: Target must use tnftp without the -o option · Target must fetch a malicious URI
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Patch, Vendor Advisory vendor-advisory x_refsource_netbsd
http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2014-013.txt.asc
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62028
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/464
Vendor Advisory x_refsource_confirm
http://support.apple.com/HT204244
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201611-05
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-11/msg00029.html
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2015/Jan/msg00003.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/62260
Mailing List mailing-list x_refsource_mlist
http://seclists.org/oss-sec/2014/q4/459
Exploit, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43112/

Scores

EPSS 0.6990
EPSS Percentile 99.3%

Details

CWE
CWE-77
Status published
Products (25)
apple/mac_os_x 10.8.5
apple/mac_os_x 10.9.5
apple/mac_os_x 10.10.0
apple/mac_os_x 10.10.1
netbsd/netbsd 5.1
netbsd/netbsd 5.1.1
netbsd/netbsd 5.1.2
netbsd/netbsd 5.1.3
netbsd/netbsd 5.1.4
netbsd/netbsd 5.2
... and 15 more
Published Nov 17, 2014
Tracked Since Feb 18, 2026