by Tan Chew Keong
Release Date: 2008-06-04
[en] [jp]
Summary
A vulnerability has been found within the WebDAV and FTP clients in BitKinex. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
Tested Versions
Details
This advisory discloses a vulnerability within the WebDAV and FTP clients in BitKinex. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash and forward-slash) that are received from an FTP server in response to the LIST command. Similiarly, the WebDAV client does not properly sanitise filenames containing directory traversal sequences (backslash) that are received in response to the PROPFIND command.
Examples of such responses from a malicious FTP and WebDAV server is shown below.
Response to LIST (backslash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
Response to LIST (forward-slash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
Response to PROPFIND:
<D:href>/testdir/\..\..\..\..\..\..\..\..\..\testfile.txt</D:href>\r\n"
By tricking a user to download a directory from a malicious WebDAV or FTP server that contains files with directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
POC / Test Code
Please download the POC here and follow the instructions below.
Instructions for testing FTP client:
- Unzip the POC file into a directory. This gives BitKinexFTPPOC.exe and BitKinexWebDAVPOC.exe.
- BitKinexFTPPOC.exe is a POC FTP server that will send filenames with directory traversal characters in response to LIST commands.
- Go to the command prompt and run BitKinexFTPPOC.exe on a system. It will listen on FTP Port 21.
- Ensure that BitKinex is configured to use Passive mode.
- Use BitKinex to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).
- Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
Instructions for testing WebDAV client:
- BitKinexWebDAVPOC.exe is a POC WebDAV server that will send filenames with directory traversal characters in response to PROPFIND commands.
- Go to the command prompt and run BitKinexWebDAVPOC.exe on a system. It will listen on Port 80.
- Using BitKinex's WebDAV client, connect to port 80 of the POC WebDAV server. Use any username and password.
- You'll see a directory named /testdir on the POC WebDAV server.
- Follow the same instructions as above to confirm the directory traversal vulnerability.
Patch / Workaround
According to the vendor, the vulnerability will be fixed in version 3.0.
Disclosure Timeline
2008-05-13 - Vulnerability Discovered.
2008-05-13 - Initial Vendor Notification.
2008-05-14 - Initial Vendor Reply.
2008-05-14 - Vulnerability Details Sent to Vendor.
2008-05-19 - Vendor Reminder.
2008-05-19 - Vendor Reply Received.
2008-06-04 - Public Release.