[vuln.sg] Classic FTP FTP-Client Directory Traversal Vulnerability

A vulnerability has been found in Classic FTP FTP-client. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.

This advisory discloses a vulnerability in Classic FTP FTP-client. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.

The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash and forward-slash) that are received from an FTP server in response to the LIST command.

Response to LIST (backslash):

-rw-r--r--  1 502   502     4096 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n

Response to LIST (forward slash):

-rw-r--r--  1 502   502     4096 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n

By tricking a user to download a directory from a malicious FTP server that contains files with backslash or forward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.

Instructions:

Unzip the POC file into a directory. This gives ClassicFTPPOC.exe and ClassicFTPPOC-forward.exe.
ClassicFTPPOC.exe and ClassicFTPPOC-forward.exe are POC FTP servers that will send filenames with directory traversal characters in response to LIST commands.
ClassicFTPPOC.exe sends filenames with backslash directory traversal characters, whereas ClassicFTPPOC-forward.exe sends filenames with forward-slash traversal characters.
Go to the command prompt and run ClassicFTPPOC.exe or ClassicFTPPOC-forward.exe on a system. It will listen on FTP Port 21.

Ensure that Classic FTP is configured to use Passive mode.
Use Classic FTP to connect to the POC FTP server. You can use any username/password.
You'll see a directory named /testdir on the POC FTP server (see below).

If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).

Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.

Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.

Update to version 1.11, which fixes this vulnerability. See vendor's release notes.

2008-06-02 - Vulnerability Discovered.
2008-06-02 - Vulnerability details sent to vendor via online form (no reply).
2008-06-07 - Vulnerability details sent to vendor again via online form (no reply).
2008-06-10 - Received reply from vendor that developers have been informed, but no ETA yet.
2008-06-12 - Vendor reminder sent (no reply).
2008-06-18 - Vendor reminder sent.
2008-06-19 - Received reply that the release date of the fixed version is still unknown.
2008-06-20 - Public Release.
2008-12-12 - Received notification from vendor that vulnerability was fixed in version 1.11. Updated advisory.