vuln.sg  

vuln.sg Vulnerability Research Advisory

FireFTP for FireFox SFTP Command Manipulation Security Issue

by Tan Chew Keong
Release Date: 2009-09-28

   [en] [jp]

Summary

A security issue has been found within the FireFTP add-on for Firefox. When exploited, this issue allows a malicious user who can create files on a SFTP server, to manipulate the SFTP commands that a FireFTP user sends to the server.


Tested Versions


Details

A security issue has been found within the FireFTP add-on for Firefox. When exploited, this issue allows a malicious user who can create files on a SFTP server, to manipulate the SFTP commands that a FireFTP user sends to the server. In order to exploit this issue, the malicious user must be able to create files with specially-crafted filenames on the SFTP server and convince a FireFTP user to move, delete, chmod, or download the file.

Successful exploit of this issue would allow the malicious user to cause an FireFTP user to unknowingly perform operations on the wrong files on the SFTP server, or cause the FireFTP user to overwrite files within the Firefox installation directory.

FireFTP implements its SFTP support by running a local copy of psftp.exe and sending commands to it via a pipe. FireFTP constructs these commands using the string concatenation method. For example, if a user deletes a file with the name testfile via FireFTP, the string rm "testfile" is constructed by FireFTP, and sent to the running copy of psftp.exe. Note that FireFTP will enclose the filename using double-quotes.

FireFTP does not properly escape filenames that contain double-quote characters. This allows the constructed SFTP command to be modified using files with specially-crafted filenames. For example, if the user deletes a file with the name aaa" "bbb, the string rm "aaa" "bbb" will be constructed, and sent to psftp.exe. This causes the files aaa and bbb to be deleted instead of the aaa" "bbb file.

The correct way to escape the double-quote character in psftp is to use a second double-quote character. Using the above example, the correctly constructed command string should be rm "aaa"" ""bbb".

Please refer to the POC section below for instructions to verify this issue.


POC / Test Code

Please follow the instructions below to confirm the security issue. The POC requires FireFTP to be installed on a Windows system. A Linux system is required to act as the SFTP server.

Prerequisites


Please prepare the Linux server as follows prior to testing:

  1. Ensure that the Linux system has SSHD with SFTP enabled, and root logon is allowed.

  2. Login to the Linux system as the root user and create a test directory. E.g. /poc
 

Test Case 1 (rm and chmod commands)


  1. Logon to the Linux system as the root user using a SSH client (e.g. putty).

  2. Issue the following commands in the /poc directory on the Linux system to create the test files.

    3. cd /poc
    touch aaa
    touch bbb
    touch aaa\"\ \"bbb

  3. If your have performed the above steps correctly, you should see the following files in the /poc directory.

  4. Use FireFTP to logon to the Linux system via a SFTP connection (Logon as the root user).

  5. Change to the /poc directory. You should see the three files that were created in the above steps.

  6. Select the aaa" "bbb file and change its file permissions to 0777 as shown below.

  7. Observe from the FireFTP command log that instead of the aaa" "bbb file, the permissions of the aaa and bbb files were changed. View the listing of the /poc directory from the SSH client to double confirm that chmod was executed on the wrong files.

  8. Using FireFTP, select the aaa" "bbb file and delete it.

  9. Observe from the FireFTP command log that instead of the aaa" "bbb file, the aaa and bbb files were deleted. View the listing of the /poc directory from the SSH client to double confirm that the wrong files were deleted.

 

Test Case 2 (get command)


  1. Logon to the Linux system as the root user using a SSH client (e.g. putty).

  2. Issue the following commands in the /poc directory on the Linux system to create the test files.

    3. cd /poc
    touch aaa
    touch aaa\"\ \"hacked123

  3. If your have performed the above steps correctly, you should see the following files in the /poc directory.

  4. Use FireFTP to logon to the Linux system via a SFTP connection (Logon as the root user).

  5. Select the aaa" "hacked123 file and download it to a local directory e.g. C:\testdir\.

  6. Take note of the modified get command as shown in the FireFTP command log in the screenshot above.

  7. Search the system for the downloaded file. Note that it has been written into Firefox's installation directory with the name hacked123, instead of being written into the C:\testdir\ directory (see screenshot below). This can potentially be exploited to overwrite files within the Firefox installation directory.

 

Test Case 3 (mv command)


  1. Logon to the Linux system as the root user using a SSH client (e.g. putty).

  2. Issue the following commands in the /poc directory on the Linux system to create the test files.

    3. cd /poc
    touch aaa
    touch aaa\"\ \".
    mkdir test

  3. If your have performed the above steps correctly, you should see the following files in the /poc directory.

  4. Use FireFTP to logon to the Linux system via a SFTP connection (Logon as the root user).

  5. Select the aaa" ". file and move it into the test directory on the SFTP server.

  6. Take note of the modified mv command as shown in the FireFTP command log in the screenshot below.

  7. Also note that instead of the aaa" ". file, the aaa file has been moved into the test directory.

 


Patch / Workaround

Update to version 1.0.6.

Changes


Disclosure Timeline

2009-08-15 - Vulnerability Discovered.
2009-08-15 - Initial Notification Sent to Vendor.
2009-08-16 - Initial Reply from Vendor, Vulnerability Details Sent to Vendor.
2009-09-28 - Received email from vendor that fixed version was released.
2009-09-28 - Public Release.

Contact
For further enquries, comments, suggestions or bug reports, simply email them to