by Tan Chew Keong
Release Date: 2008-06-13
[en] [jp]
Summary
A vulnerability has been found within the FTP client in Glub Tech Secure FTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
Tested Versions
Details
This advisory discloses a vulnerability within the FTP client in Glub Tech Secure FTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system. Only Windows users are affected by this vulnerability.
The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash) that are received from an FTP server in response to the LIST command.
An example of such a response from a malicious FTP server is shown below.
Response to LIST (backslash):
-rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n
By tricking a user to download a directory from a malicious FTP server that contains files with backslash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Windows Startup folder and execute arbitrary code when the user logs on.
POC / Test Code
Please download the POC here and follow the instructions below.
Instructions for testing FTP client:
- Unzip the POC file into a directory. This gives GlubSecureFTPPOC.exe.
- GlubSecureFTPPOC.exe is a POC FTP server that will send filenames with backslash directory traversal characters in response to LIST commands.
- Go to the command prompt and run GlubSecureFTPPOC.exe on a system. It will listen on FTP Port 21.
- IMPORTANT: Ensure that the Secure FTP FTP-client is configured to use Passive mode. The POC FTP server only supports Passive mode.
- Run the Secure FTP FTP-client on a Windows system and use it to connect to the POC FTP server. You can use any username/password.
- You'll see a directory named /testdir on the POC FTP server (see below).
- If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).
- Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.
Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Windows Startup folder and execute arbitrary code when the user logs on.
Patch / Workaround
Update to version 2.5.16 (20080610.760)
Disclosure Timeline
2008-06-09 - Vulnerability Discovered.
2008-06-10 - Vulnerability Details and POC Sent to Vendor.
2008-06-10 - Initial Vendor Reply.
2008-06-12 - Vendor Releases Fixed Version.
2008-06-13 - Public Release.