TwinFTP Server Input Validation Flaw in CWD/STOR/RETR Commands Lets Remote Authenticated Users Write Files to Arbitrary Locations
SecurityTracker Alert ID: 1011220|
SecurityTracker URL: http://securitytracker.com/id/1011220
(Links to External Site)
Date: Sep 12 2004
Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 1.0.3 R2|
Tan Chew Keong of SIG^2 reported an input validation vulnerability in the TwinFTP Server. A remote authenticated user can write files located outside of the FTP directory.|
It is reported that the server does not properly validate user-supplied input in FTP commands. A remote authenticated user can supply a specially crafted directory name containing '.../' directory traversal characters to the CWD, STOR and RETR commands to write arbitrary files to arbitrary locations with the privileges of the FTP service.
The vendor was notified on August 4, 2004.
The original advisory is available at:
A remote authenticated user can write files to locations outside of the FTP directory. Files are written with the privileges of the target FTP service.|
The vendor released a fixed version (1.0.3 R3) as of September 10, 2004. It is important to note that the release version 1.0.3 R3 issued on August 13, 2004 still contains the vulnerability.|
Vendor URL: www.twinftp.com/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Directory Traversal Vulnerability in TwinFTP Server allows overwriting|
SIG^2 Vulnerability Research Advisory
Directory Traversal Vulnerability in TwinFTP Server allows overwriting
of files outside FTP directory
by Tan Chew Keong
Release Date: 12 Sept 2004
TwinFTP Server (http://www.twinftp.com/) is a FTP server released by
Jigunet Corporation for the Windows platform. A vulnerability exists in
TwinFTP server that allows a malicious user access to files outside the
FTP directory. This vulnerability may also be exploited to bypass
directory restrictions enforced by the FTP server to write arbitrary
files into directories that the server process has access to.
TwinFTP Server Standard 1.0.3 R2 (Win32) on English WinXP SP1.
TwinFTP Server Enterprise 1.0.3 R2 (Win32) on English Win2K SP2.
A directory traversal vulnerability exists in several FTP commands of
TwinFTP that may be exploited by a malicious user to access files
outside the FTP directory. The problem lies with the incorrect filtering
of directory name supplied to CWD, STOR and RETR commands. Directory
traversal is possible when the directory name contains three dots and a
forward slash, e.g. ".../winnt".
This vulnerability may be exploited to bypass directory restrictions
enforced by the FTP server to write arbitrary files into directories
that the server process has access to. This is critical since it may be
abused by malicious users to overwrite system files within the Windows
directory if the TwinFTP server runs with Administrator privilege.
Upgrade to Version 1.0.3 R3 that is released on 10 Sep 2004. Version
1.0.3 R3 released before 10 Sep 2004 is vulnerable.
02 Aug 04 - Vulnerability Discovered
04 Aug 04 - Initial Vendor Notification (no reply)
09 Aug 04 - Second Vendor Notification
13 Aug 04 - Vendor released Version 1.0.3 R3 which fixes directory
traversal problem, but RETR and STOR commands are still vulnerable
13 Aug 04 - Notified vendor about RETR and STOR vulnerability (no reply)
30 Aug 04 - Second vendor notification about RETR and STOR vulnerability
10 Sep 04 - Vendor re-released Version 1.0.3 R3 which fixes RETR and
12 Sep 04 - Public Release
All guys at SIG^2 G-TEC Lab
SIG^2 G-TEC Software Vulnerability Research Project
"IT Security...the Gathering. By enthusiasts for enthusiasts."