C-Kermit File Overwrite and Exfiltration Vulnerability

A vulnerability in C-Kermit (through 10.0 Beta.12) prior to 244644d allows a remote Kermit system to overwrite files on the local system or retrieve arbitrary files from it. This issue arises because, by default, C-Kermit permits remote control over the local file system, a behavior that was an explicit choice by the upstream Kermit authors years ago. The vulnerability can be exploited by sending Kermit packets that initiate file transfers or commands that manipulate the local file system, such as changing directories or overwriting files.

Impact

Exploitation of this vulnerability allows for unauthorized file overwriting and exfiltration of local files to the remote system.

Reproduction

The vulnerability can be reproduced by connecting to a remote host via SSH using C-Kermit. Once connected, the local Kermit can be put into server mode, allowing the remote host to issue commands that overwrite files in the local working directory or download arbitrary files from the local system. This can be done by sending Kermit packets that trigger these actions, taking advantage of the default settings that enable such remote control.

Remediation

Users can update to C-Kermit version 416~beta12-5, which blocks remote control of the local Kermit by default.