CVE-2017-17405

HIGH

Ruby < 2.4.3 - OS Command Injection via Net::FTP Localfile Pipe Character

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-17405. PoCs published by Etienne Stalmans.

AI-analyzed exploit summary This exploit demonstrates a command injection vulnerability in Ruby's NET::FTP library (CVE-2017-17405) where malicious filenames containing shell metacharacters (e.g., `| id`) can trigger arbitrary command execution when processed by the `gettextfile` method. The PoC includes a custom FTP server that serves a malicious filename and a client script that downloads it, resulting in RCE.

Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Exploits (1)

exploitdb WORKING POC
by Etienne Stalmans · localruby
https://www.exploit-db.com/exploits/43381

This exploit demonstrates a command injection vulnerability in Ruby's NET::FTP library (CVE-2017-17405) where malicious filenames containing shell metacharacters (e.g., `| id`) can trigger arbitrary command execution when processed by the `gettextfile` method. The PoC includes a custom FTP server that serves a malicious filename and a client script that downloads it, resulting in RCE.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ruby NET::FTP (versions before the fix)
Auth required
Prerequisites: Attacker-controlled FTP server · Victim uses vulnerable NET::FTP client with default `localfile` parameter
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (14)

Core 14
Core References
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0585
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/102204
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1042004
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/43381/
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0584
Patch, Release Notes, Vendor Advisory x_refsource_confirm
https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0583
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4259
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2806

Scores

CVSS v3 8.8
EPSS 0.7393
EPSS Percentile 99.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-78
Status published
Products (15)
debian/debian_linux 7.0
debian/debian_linux 8.0
debian/debian_linux 9.0
redhat/enterprise_linux_desktop 7.0
redhat/enterprise_linux_server 7.0
redhat/enterprise_linux_server_aus 7.4
redhat/enterprise_linux_server_aus 7.6
redhat/enterprise_linux_server_eus 7.4
redhat/enterprise_linux_server_eus 7.5
redhat/enterprise_linux_server_eus 7.6
... and 5 more
Published Dec 15, 2017
Tracked Since Feb 18, 2026