by Tan Chew Keong
Release Date: 2008-05-19
A vulnerability has been found in FireFTP add-on for Firefox. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
The vulnerability is also confirmed in development version 0.98.20080405
This advisory discloses a vulnerability in the FireFTP add-on for Firefox. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash) that are received from an FTP server in response to the MLSD and LIST commands.
Examples of such responses from a malicious FTP server is shown below.
Response to MLSD:
Response to LIST:
-rw-r--r-- 1 502 502 4096 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
By tricking a user to download a directory from a malicious FTP server that contains files with backslash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
POC / Test Code
Please download the POC here and follow the instructions below.
- Unzip the POC file into a directory. This gives FireFTPPOC.exe.
- FireFTPPOC.exe is a POC FTP server that will send filenames with backslash directory traversal characters in response to MLSD and LIST commands.
- Go to the command prompt and run FireFTPPOC.exe on a system. It will listen on FTP Port 21.
- Ensure that FireFTP is configured to use Passive mode.
- DISABLE Remember Directory Listings in FireFTP.
- Use FireFTP from a Windows system to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).
- Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.
Patch / Workaround
The vulnerability has been fixed in development version 0.98.20080518 and in release version 0.97.2. Code change in CVS.
2008-05-09 - Vulnerability Discovered.
2008-05-09 - Initial Vendor Notification.
2008-05-09 - Initial Vendor Reply.
2008-05-09 - Vulnerability Details Sent to Vendor.
2008-05-18 - Vendor fixes issue in development version and releases information on development website.
2008-05-19 - Public Release.
2008-05-22 - Received notification from vendor that vulnerability is fixed in release version 0.97.2.