by Tan Chew Keong
Release Date: 2013-05-22
[en] [jp]
Summary
A vulnerability has been found within the FTP client in LYSESOFT AndFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
Tested Versions
Details
This advisory discloses a vulnerability within the FTP client in LYSESOFT AndFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations within the SD card of the user's Android device.
The FTP client does not properly sanitise filenames containing directory traversal sequences (forward-slash ../) that are received from an FTP server in response to the LIST command.
An example of such a response from a malicious FTP server is shown below.
Response to LIST (forward-slash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
By tricking a user to download a directory from a malicious FTP server that contains files with fowward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations within the SD card of the user's Android device. An attacker can potentially leverage this issue to overwrite files in known locations within the SD card in the user's Android device.
POC / Test Code
Please download the POC here and follow the instructions below.
Instructions for testing FTP client:
- On a Windows system, unzip the POC file into a directory. This gives AndFTPPOC-forward.exe.
- AndFTPPOC-forward.exe is a POC FTP server that will send filenames with forward-slash directory traversal characters in response to LIST commands.
- Go to the Windows command prompt and run AndFTPPOC-forward.exe on a system. It will listen on FTP Port 2121.
- IMPORTANT: Ensure that the AndFTP FTP-client is configured to use Passive mode. The POC FTP server only supports Passive mode.
- Run the AndFTP FTP-client on the Android device and use it to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile2.txt) with directory traversal characters in its filename (see below).
- Now, proceed to download the entire /testdir directory into /mnt/sdcard.
- When the download completes you'll notice that testfile2.txt will be written into /mnt/sdcard/testHACKED/testfile2.txt instead of into /mnt/sdcard/testdir/testfile2.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into arbitrary locations within the SD card in the user's Android device, or to overwrite files in known locations within the SD card.
For example, an attacker who is aware of the filenames of the user's photo in the /mnt/sdcard/DCIM/ directory can exploit this vulnerability to overwrite the user's photo files.
Patch / Workaround
Fixed in AndFTP version 3.3
Vendor's changelog here.
Disclosure Timeline
2013-05-18 - Vulnerability Discovered.
2013-05-19 - Vulnerability Details Sent to Vendor.
2013-05-19 - Vendor Released Fixed Version.
2013-05-22 - Public Release.
2013-05-24 - Added link to Vendor's changelog.