vuln.sg Vulnerability Research Advisory NULL FTP Server SITE Parameters Command Injection Vulnerability by Tan Chew Keong Release Date: 2008-12-05 Summary A vulnerability has been found in NULL FTP Server. When exploited, this vulnerability allows an authenticated user to execute arbitrary shell commands on the FTP server. In order to exploit this vulnerability, the FTP SITE commands must be enabled on the server and the SITE commands must be configured to accept parameters from the user. Tested Versions * NULL FTP Server Free/Pro Version 1.1.0.7 Details A vulnerability has been found in NULL FTP Server. When exploited, this vulnerability allows an authenticated user to execute arbitrary shell commands on the FTP server. In order to exploit this vulnerability, the FTP SITE commands must be enabled on the server and the SITE commands must be configured to accept parameters from the user. NULL FTP Server allows customised SITE commands to be defined in the FTP server, for example, to allow the user to run Windows shell commands like attrib, dir, etc. It supports the passing of parameters to the SITE commands so that the user can pass commandline arguments to the corresponding shell commands. Parameters are defined using the %readfile1, %writefile1, %1, %2, %3, %4, %5, %6, %7, %8, and %9 placeholders when creating the SITE commands. For example, to allow the user to use dir, it is possible to define the NATIVEDIR SITE command as dir %readfile1. Upon logon to the NULL FTP Server, the user can issue SITE NATIVEDIR test.txt to run dir test.txt. NULL FTP Server performs some validation checks on the parameters passed by the user to prevent command injection. See screenshot below: However, this validation check is insufficent and thus, cannot totally prevent the user from injecting arbitrary Windows shell commands. Enclosing the placeholders in double-quotes do not fully resolve the issue. Please use the POC instructions below to verify the vulnerability. POC / Test Code Please follow the instructions below to confirm the vulnerability on a Windows system. Prerequisites Please configure NULL FTP Server as follows prior to testing: 1. Create a test user on the NULL FTP Server. 2. Ensure that this user is given Full Access (i.e. read and write) to the FTP directory. This is required since the %writefile1 parameter requires the user to have write access to the FTP directory. 3. Configure NULL FTP Server to Enable SITE commands and click on Apply. 4. Download and extract netcat from here. netcat (nc.exe) will be used to issue FTP commands directly to NULL FTP Server. Test Case 1 1. Create the following SITE command in NULL FTP Server if it does not already exist. Command Name: NATIVEDIR Executable/batch file: dir %readfile1 2. Using netcat, logon to the FTP server and issue the following SITE command. SITE NATIVEDIR "."\""&ping 127.0.0.1& OR SITE NATIVEDIR a&ipconfig 3. The above SITE commands will inject the ping or the ipconfig command. See screenshot below. Test Case 2 The purpose of this test case is to show that enclosing the %readfile1 placeholder in double-quotes will not solve the issue. 1. Create the following SITE command in NULL FTP Server if it does not already exist. Command Name: NATIVEDIR Executable/batch file: dir "%readfile1" 2. Using netcat, logon to the FTP server and issue the following SITE command. Do note that this exploit is slightly different from Test Case 1. SITE NATIVEDIR ".""\""&ping 127.0.0.1& 3. The above SITE command will inject the ping command. See screenshot below. Test Case 3 1. Create the following SITE command in NULL FTP Server if it does not already exist. Command Name: ATTRIB Executable/batch file: attrib %writefile1 %2 %3 %4 %5 %6 %7 %8 %9 2. Using netcat, logon to the FTP server and issue the following SITE command. SITE ATTRIB a&& ping 127.0.0.1 OR SITE ATTRIB a &ping 127.0.0.1 OR SITE ATTRIB a| ping 127.0.0.1 3. The above SITE command will inject the ping command. See screenshot below. Test Case 4 1. Enclosing the placeholders in double-quotes will not solve the issue. Command Name: ATTRIB Executable/batch file: attrib "%writefile1" "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9" Test Exploit: SITE ATTRIB a" &ping 127.0.0.1& 2. Again, enclosing the placeholders in double-quotes will not solve the issue. Command Name: ATTRIB Executable/batch file: attrib %writefile1 "%2" "%3" "%4" "%5" "%6" "%7" "%8" "%9" Test Exploit: SITE ATTRIB a &"ping 127.0.0.1& 3. The above SITE commands will inject the ping command. Patch / Workaround Update to version 1.1.0.8. See vendor's release notes. Disclosure Timeline 2008-11-25 - Vulnerability Discovered. 2008-11-26 - Initial Notification Sent to Vendor (Support Ticket #20786). 2008-11-26 - Initial Vendor Reply. Vulnerability details sent to vendor. 2008-11-27 - Received vendor response that vulnerability has been fixed in version 1.1.0.8, and the fixed version has been released via online update. 2008-12-05 - Public Release. Contact For further enquries, comments, suggestions or bug reports, simply email them to Tan Chew Keong.