by Tan Chew Keong
Release Date: 2008-06-20
A vulnerability has been found in Classic FTP FTP-client. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
This advisory discloses a vulnerability in Classic FTP FTP-client. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash and forward-slash) that are received from an FTP server in response to the LIST command.
Examples of such responses from a malicious FTP server is shown below.
Response to LIST (backslash):
-rw-r--r-- 1 502 502 4096 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
Response to LIST (forward slash):
-rw-r--r-- 1 502 502 4096 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
By tricking a user to download a directory from a malicious FTP server that contains files with backslash or forward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
POC / Test Code
Please download the POC here and follow the instructions below.
- Unzip the POC file into a directory. This gives ClassicFTPPOC.exe and ClassicFTPPOC-forward.exe.
- ClassicFTPPOC.exe and ClassicFTPPOC-forward.exe are POC FTP servers that will send filenames with directory traversal characters in response to LIST commands.
- ClassicFTPPOC.exe sends filenames with backslash directory traversal characters, whereas ClassicFTPPOC-forward.exe sends filenames with forward-slash traversal characters.
- Go to the command prompt and run ClassicFTPPOC.exe or ClassicFTPPOC-forward.exe on a system. It will listen on FTP Port 21.
- Ensure that Classic FTP is configured to use Passive mode.
- Use Classic FTP to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).
- Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
Patch / Workaround
Update to version 1.11, which fixes this vulnerability. See vendor's release notes.
2008-06-02 - Vulnerability Discovered.
2008-06-02 - Vulnerability details sent to vendor via online form (no reply).
2008-06-07 - Vulnerability details sent to vendor again via online form (no reply).
2008-06-10 - Received reply from vendor that developers have been informed, but no ETA yet.
2008-06-12 - Vendor reminder sent (no reply).
2008-06-18 - Vendor reminder sent.
2008-06-19 - Received reply that the release date of the fixed version is still unknown.
2008-06-20 - Public Release.
2008-12-12 - Received notification from vendor that vulnerability was fixed in version 1.11. Updated advisory.