[vuln.sg] 3D-FTP FTP Client Directory Traversal Vulnerability

A vulnerability has been found within the FTP client in 3D-FTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.

This advisory discloses a vulnerability within the FTP client in 3D-FTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a user's system.

The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash and forward-slash) that are received from an FTP server in response to the LIST and MLSD commands when the user downloads an entire directory.

Response to LIST (backslash):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n

Response to LIST (forward-slash):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n

Response to LIST (combination):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 ../..\/..\/..\/../..\/../..\/../testfile.txt\r\n

Response to MLSD (backslash):

type=file;modify=20080227074710;size=20; \..\..\..\..\..\..\..\..\..\testfile.txt\r\n

Response to MLSD (forward-slash):

type=file;modify=20080227074710;size=20; /../../../../../../../../../testfile.txt\r\n

Response to MLSD (combination):

type=file;modify=20080227074710;size=20; ../..\/..\/..\/../..\/../..\/../testfile.txt\r\n

By tricking a user to download a directory from a malicious FTP server that contains files with directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.

Instructions for testing FTP client:

Unzip the POC file into a directory. This gives 3DFTPPOC.exe, 3DFTPPOC-forward.exe, and 3DFTPPOC-combination.exe.

3DFTPPOC.exe is a POC FTP server that will send filenames with backslash directory traversal characters in response to LIST commands.
3DFTPPOC-forward.exe is a POC FTP server that will send filenames with forward-slash directory traversal characters in response to LIST commands.
3DFTPPOC-combination.exe is a POC FTP server that will send filenames with both backslash and forward-slash directory traversal characters in response to LIST commands.

Go to the command prompt and run one of the POC FTP server on a system. It will listen on FTP Port 21.

IMPORTANT: Ensure that 3D-FTP is configured to use Passive mode. The POC FTP server only supports Passive mode.
Disable remote directory caching on 3D-FTP, under "Settings->Advanced TAB->Enable Cache". This is to ensure proper testing of the various combinations of directory traversal sequences.
Use 3D-FTP to connect to the POC FTP server. You can use any username/password.
You'll see a directory named /testdir on the POC FTP server (see below).

If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).

Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.

Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.

2008-06-15 - Vulnerability Discovered.
2008-06-15 - Vulnerability details and POC sent to vendor.
2008-06-15 - Initial Vendor Reply.
2008-06-15 - Vendor released fixed version within 2 hours of receiving report.
2008-06-16 - Public Release.