SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (File Transfer/Sharing)  >   TwinFTP Vendors:   Jigunet Corporation
TwinFTP Server Input Validation Flaw in CWD/STOR/RETR Commands Lets Remote Authenticated Users Write Files to Arbitrary Locations
SecurityTracker Alert ID:  1011220
SecurityTracker URL:  http://securitytracker.com/id/1011220
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 12 2004
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.3 R2
Description:   Tan Chew Keong of SIG^2 reported an input validation vulnerability in the TwinFTP Server. A remote authenticated user can write files located outside of the FTP directory.

It is reported that the server does not properly validate user-supplied input in FTP commands. A remote authenticated user can supply a specially crafted directory name containing '.../' directory traversal characters to the CWD, STOR and RETR commands to write arbitrary files to arbitrary locations with the privileges of the FTP service.

The vendor was notified on August 4, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/twinftp103r2.html

Impact:   A remote authenticated user can write files to locations outside of the FTP directory. Files are written with the privileges of the target FTP service.
Solution:   The vendor released a fixed version (1.0.3 R3) as of September 10, 2004. It is important to note that the release version 1.0.3 R3 issued on August 13, 2004 still contains the vulnerability.
Vendor URL:  www.twinftp.com/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Directory Traversal Vulnerability in TwinFTP Server allows overwriting


SIG^2 Vulnerability Research Advisory

Directory Traversal Vulnerability in TwinFTP Server allows overwriting 
of files outside FTP directory

by Tan Chew Keong
Release Date: 12 Sept 2004


ADVISORY URL

http://www.security.org.sg/vuln/twinftp103r2.html


SUMMARY

TwinFTP Server (http://www.twinftp.com/) is a FTP server released by 
Jigunet Corporation for the Windows platform. A vulnerability exists in 
TwinFTP server that allows a malicious user access to files outside the 
FTP directory. This vulnerability may also be exploited to bypass 
directory restrictions enforced by the FTP server to write arbitrary 
files into directories that the server process has access to.


TESTED SYSTEM

TwinFTP Server Standard 1.0.3 R2 (Win32) on English WinXP SP1.
TwinFTP Server Enterprise 1.0.3 R2 (Win32) on English Win2K SP2.


DETAILS

A directory traversal vulnerability exists in several FTP commands of 
TwinFTP that may be exploited by a malicious user to access files 
outside the FTP directory. The problem lies with the incorrect filtering 
of directory name supplied to CWD, STOR and RETR commands. Directory 
traversal is possible when the directory name contains three dots and a 
forward slash, e.g. ".../winnt".

This vulnerability may be exploited to bypass directory restrictions 
enforced by the FTP server to write arbitrary files into directories 
that the server process has access to. This is critical since it may be 
abused by malicious users to overwrite system files within the Windows 
directory if the TwinFTP server runs with Administrator privilege.


PATCH

Upgrade to Version 1.0.3 R3 that is released on 10 Sep 2004. Version 
1.0.3 R3 released before 10 Sep 2004 is vulnerable.


DISCLOSURE TIMELINE

02 Aug 04 - Vulnerability Discovered
04 Aug 04 - Initial Vendor Notification (no reply)
09 Aug 04 - Second Vendor Notification
13 Aug 04 - Vendor released Version 1.0.3 R3 which fixes directory 
traversal problem, but RETR and STOR commands are still vulnerable
13 Aug 04 - Notified vendor about RETR and STOR vulnerability (no reply)
30 Aug 04 - Second vendor notification about RETR and STOR vulnerability
10 Sep 04 - Vendor re-released Version 1.0.3 R3 which fixes RETR and 
STOR commands.
12 Sep 04 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

SIG^2 G-TEC Software Vulnerability Research Project
http://www.security.org.sg/vuln/

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC