Aon’s Cyber Solutions recently discovered multiple vulnerabilities in Ipswitch’s WS_FTP Server versions 8.6.0 and below. The issues include:
- An arbitrary file write as the SYSTEM user leading to remote code execution (CVE-2019-12144)
- An arbitrary file write within a server’s FTP root (CVE-2019-12146)
- Multiple information disclosure vulnerabilities (CVE-2019-12143, CVE-2019-12145)
These vulnerabilities all require valid user credentials and only affect the SCP protocol.
Aon would like to thank Ipswitch for working with Aon’s Cyber Labs under our coordinated disclosure process to quickly remediate these vulnerabilities.
04/05/19 – Vulnerabilities disclosed, receipt acknowledged
04/10/19 – Vulnerabilities confirmed
05/29/19 – Version 8.6.1 released containing fixes for all issues
09/18/19 – Aon public disclosure
CVE-2019-12144 Dan Bastone
CVE-2019-12146 Devon Greene
CVE-2019-12143 Devon Greene
CVE-2019-12145 Dan Bastone
CVE-2019-12144: Arbitrary File Write as SYSTEM via Path Traversal
The WS_FTP server SCP listener does not adequately validate that supplied filenames do not contain path traversal characters. This allows an authenticated attacker to write files to arbitrary locations on the filesystem with SYSTEM permissions, even when the “Lock User To Home Directory” option is selected. This is demonstrated below by creating the file “c:\test.txt” using SCP, assuming that an attacker has valid credentials for “user1” and the WS_FTP server is listening on host 192.168.194.138.
$ echo test > \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt $ scp \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt firstname.lastname@example.org: email@example.com's password: \..\..\..\..\..\..\..\..\test.txt 100% 5 0.5KB/s 00:00
The file is present on the server:
C:\>dir /q test.txt Volume in drive C has no label. Volume Serial Number is F603-DB19 Directory of C:\ 04/03/2019 02:00 PM 5 BUILTIN\Administrators test.txt 1 File(s) 5 Bytes 0 Dir(s) 49,050,906,624 bytes free C:\>type test.txt test
Note that the file is owned by an administrative user, demonstrating that this vulnerability allows files to be written anywhere on the filesystem.
This vulnerability can be further leveraged to obtain remote code execution as the SYSTEM user without requiring a reboot. By uploading a malicious DLL file, which is loaded by an IIS worker process used for the WS_FTP administrative interface approximately once every hour, we can obtain NETWORK SERVICE privilege. This level of privilege is sufficient to then add a new WS_FTP system administrator user which can create an FTP SITE command that is run as SYSTEM, resulting in code execution as the SYSTEM user. A fully working proof-of-concept has been developed and will be published at a later date.
CVE-2019-12146: Home Directory Escape via Path Traversal
IPSwitch WS_FTP Server v8.6.0 contains a second path traversal vulnerability in the SCP Subsystem allowing authenticated attackers to write files and create directories outside of their home directory into the host’s FTP root. The issue stems from the application improperly resolving destination directories containing 3 or more dot (“.”) characters. This vulnerability exists in the parsing of the destination folder name and is distinct from CVE-2019-12144 above.
The following commands create a test file and directory, and copies them to the vulnerable server:
$ touch test.txt $ mkdir test $ scp -r test.txt test/ firstname.lastname@example.org:.../
A directory listing on the server shows that the file and directory have been placed in the users/ directory, outside of the user’s home directory:
dir /q users/ ...SNIP... <DIR> 0 BUILTIN\Administrators test 0 BUILTIN\ADMINISTRATORS test.txt
CVE-2019-12143: Username and Filename Disclosure via SCP Recursive Download
Authenticated users are able to discover usernames and filenames of other users using SCP recursive downloads along with path traversal and wildcard characters. In the event a user does not have access to a file, a permission denied error followed by the file path is returned in the response.
In this example, the system contains 3 users – user1, user2, and adminuser. user1 is able to trigger error messages containing the other usernames along with filenames contained in their home directories.
$ scp -r email@example.com:../../*/*/* . firstname.lastname@example.org's password: scp:Permission Denied! /users/adminuser/admintestfile.txt user1testfile.txt 100% 912 1.6MB/s scp:Permission Denied! /users/user2/user2testfile.txt
CVE-2019-12145: Path Disclosure via Nonexistent Filenames
By using filenames containing backslash characters in a manner similar to CVE-2019-12146, it is possible to cause the WS_FTP Server to return an error message that discloses the full pathname of the FTP root directory. This information may be useful to an attacker attempting to learn more about the filesystem layout to conduct further attacks.
$ touch \\doesnt\\exist $ scp \\doesnt\\exist email@example.com: firstname.lastname@example.org's password: scp:Could not find a part of the path 'C:\Program Files (x86)\Ipswitch\WS_FTP Server\WS_FTP Server\[hostname redacted]\users\user1\doesnt\exist'.