vuln.sg  

vuln.sg Vulnerability Research Advisory

net2ftp Web-based FTP-Client Archive Handling Directory Traversal

by Tan Chew Keong
Release Date: 2008-06-11
Updated: 2008-06-17

   [en] [jp]

Summary

A vulnerability has been found within the archive extraction functionality of net2ftp. When exploited, this vulnerability allows an anonymous attacker to retrieve and potentially delete files from the web server where net2ftp is hosted. Execution of arbitrary PHP code is also possible if the web server directory is writable.


Tested Versions

  • net2ftp Version 0.96 (stable), and 0.97 (beta)


Details

This advisory discloses a vulnerability within the archive extraction functionality of net2ftp. When exploited, this vulnerability allows an anonymous attacker to retrieve and potentially delete files from the web server where net2ftp is hosted. Execution of arbitrary PHP code is also possible if the web server directory is writable.

The net2ftp web-based FTP client allows the user to connect to an FTP server and to extract a TAR/ZIP file on the FTP server in a few simple steps. It does this in the following way.

  1. The TAR/ZIP file is downloaded from the FTP server onto the web server where net2ftp is hosted.
  2. The downloaded archive is extracted into the "/documentroot/net2ftp_root/temp/unzip__xxxxxxxxx/" temp directory.
  3. Each extracted file is then uploaded from the temp directory back to the FTP server.
  4. For example, if the archive contains a file named "test.txt", net2ftp will upload "/documentroot/net2ftp_root/temp/unzip__xxxxxxxxx/test.txt" back to the FTP server.

A malicious user can create a specially-crafted TAR/ZIP archive that contains files with directory traversal sequences in their filenames. When such an archive is extracted by net2ftp, it can cause net2ftp to upload arbitrary files from the web server to the FTP server, with privileges for the web server process.

In addition, the files will be extracted outside of the temp directory. By creating a specially-craft TAR/ZIP archive that causes PHP files to be extracted into the web server directory (via directory traversal sequences in their filenames), arbitrary code execution on the web server is possible. An example of such an archive is shown below.

Extracting such an archive with net2ftp will cause net2ftp to upload "/documentroot/net2ftp_root/temp/unzip__xxxxxxxxx/../../../../../../../../../../../../../../../../../../etc/passwd" to the FTP server.

This allows an attacker to steal /etc/passwd or any other files that are accessible to the web server process. For example, by stealing "settings.inc.php", an attacker will be able to find out the net2ftp admin username and password. Note that if net2ftp is hosted on a Windows-based web server, the backslash directory traveral sequence ..\ can also be used.

In addition, after the file is uploaded to the FTP server, net2ftp will attempt to delete that file. This means that if the web server process has write access to that file, it will be deleted.

To allow execution of arbitrary PHP code, the attacker must be able to access the extracted PHP file before net2ftp completes its upload to the FTP server and deletes the file. This can be archived by creating a specially-craft FTP server that sleeps for 10 seconds before completing the STOR request from net2ftp. This delay should give the attacker sufficient time to access the extracted PHP file before it is deleted.

This vulnerability can be exploited from two places in net2ftp.

  1. By using the "Unzip archive" functionality
  2. By using the "Upload files and archives" functionality

The screenshot below shows net2ftp attempted to delete /etc/passwd after uploading it to the FTP server.


POC / Test Code

Please download the POC here and follow the instructions below.


Preparations for testing:

  1. Deploy net2ftp on a Linux test system with Apache web server.
  2. Ensure that you do not apply any additional security features like chroot, PHP "Safe mode", etc.
  3. Ensure that /etc/passwd is read-only by the Apache web server process. Warning: If /etc/passwd is writable by the Apache web server process, it will be deleted.
  4. Enable "display_errors" in php.ini and restart Apache web server.

Instructions for testing FTP client:

  1. Unzip the POC file into an empty directory. This gives net2ftpPOC.exe.
  2. net2ftpPOC.exe is a POC FTP server that contains a two hardcoded specially-crafted TAR and ZIP archives. These two archives will "steal" /etc/passwd when extracted.
  3. net2ftpPOC.exe will also be receiving the "stolen" /etc/passwd file.
  4. NOTE: Do NOT run net2ftpPOC.exe on a system that is connected to an untrusted public network. This POC FTP server does not perform any authentication and access-control restrictions!
  5. Go to the command prompt and run net2ftpPOC.exe on a Windows system. It will listen on FTP Port 21.
  6. IMPORTANT: Ensure that net2ftp is configured to use Passive mode. The POC FTP server only supports Passive mode.
  7. Use net2ftp to connect to the POC FTP server. You can use any username/password.
  8. You'll see a two archives on the POC FTP server, testzip.zip and testtar.tar (see below).
  9. Select testzip.zip OR testtar.tar by clicking on the checkbox beside them.
  10. Click on the "Unzip" button and specify / as the target directory. (see below)
  11. Submit the request to net2ftp. If error reporting is enabled in PHP, you will see the unlink error (earlier screenshot) as the result. At the same time, you will see /etc/passwd being uploaded to the POC FTP server (see below).
  12. View the "passwd" file that was saved to same directory as net2ftpPOC.exe to confirm that it was from the server that hosts net2ftp.
 


Patch / Workaround

Update to version 0.97 (stable), that was released on June 9, 2008.


Disclosure Timeline

2008-06-05 - Vulnerability Discovered.
2008-06-06 - Vulnerability Details Sent to Vendor.
2008-06-09 - Vendor Reminder Sent.
2008-06-09 - Vendor releases fixed version.
2008-06-11 - Limited Information Public Disclosure.
2008-06-17 - Updated advisory with vulnerability information.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to