by Tan Chew Keong
Release Date: 2008-05-23
[en] [jp]
Summary
A vulnerability has been found in Core FTP FTP-client. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
Tested Versions
Details
This advisory discloses a vulnerability in Core FTP FTP-client. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash and forward-slash) that are received from an FTP server in response to the LIST command.
Examples of such responses from a malicious FTP server is shown below.
Response to LIST (backslash):
-rw-r--r-- 1 502 502 4096 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
Response to LIST (forward slash):
-rw-r--r-- 1 502 502 4096 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
By tricking a user to download a directory from a malicious FTP server that contains files with backslash or forward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
POC / Test Code
Please download the POC here and follow the instructions below.
Instructions:
- Unzip the POC file into a directory. This gives CoreFTPPOC.exe and CoreFTPPOC-forward.exe.
- CoreFTPPOC.exe and CoreFTPPOC-forward.exe are POC FTP servers that will send filenames with directory traversal characters in response to LIST commands.
- CoreFTPPOC.exe sends filenames with backslash directory traversal characters, whereas CoreFTPPOC-forward.exe sends filenames with forward-slash traversal characters.
- Go to the command prompt and run CoreFTPPOC.exe or CoreFTPPOC-forward.exe on a system. It will listen on FTP Port 21.
- Ensure that CoreFTP is configured to use Passive mode.
- Use CoreFTP to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).
- Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
Patch / Workaround
The vulnerability has been fixed in Version 2.1 Build 1568.
Disclosure Timeline
2008-05-15 - Vulnerability Discovered.
2008-05-15 - Initial Vendor Notification.
2008-05-15 - Initial Vendor Reply.
2008-05-15 - Vulnerability Details Sent to Vendor.
2008-05-22 - Vendor Releases Fixed Version.
2008-05-23 - Public Release.