Directory Traversal Vulnerability in TwinFTP Server allows overwriting
SIG^2 Vulnerability Research Advisory
Directory Traversal Vulnerability in TwinFTP Server allows overwriting
of files outside FTP directory
by Tan Chew Keong
Release Date: 12 Sept 2004
ADVISORY URL
http://www.security.org.sg/vuln/twinftp103r2.html
SUMMARY
TwinFTP Server (http://www.twinftp.com/) is a FTP server released by
Jigunet Corporation for the Windows platform. A vulnerability exists in
TwinFTP server that allows a malicious user access to files outside the
FTP directory. This vulnerability may also be exploited to bypass
directory restrictions enforced by the FTP server to write arbitrary
files into directories that the server process has access to.
TESTED SYSTEM
TwinFTP Server Standard 1.0.3 R2 (Win32) on English WinXP SP1.
TwinFTP Server Enterprise 1.0.3 R2 (Win32) on English Win2K SP2.
DETAILS
A directory traversal vulnerability exists in several FTP commands of
TwinFTP that may be exploited by a malicious user to access files
outside the FTP directory. The problem lies with the incorrect filtering
of directory name supplied to CWD, STOR and RETR commands. Directory
traversal is possible when the directory name contains three dots and a
forward slash, e.g. ".../winnt".
This vulnerability may be exploited to bypass directory restrictions
enforced by the FTP server to write arbitrary files into directories
that the server process has access to. This is critical since it may be
abused by malicious users to overwrite system files within the Windows
directory if the TwinFTP server runs with Administrator privilege.
PATCH
Upgrade to Version 1.0.3 R3 that is released on 10 Sep 2004. Version
1.0.3 R3 released before 10 Sep 2004 is vulnerable.
DISCLOSURE TIMELINE
02 Aug 04 - Vulnerability Discovered
04 Aug 04 - Initial Vendor Notification (no reply)
09 Aug 04 - Second Vendor Notification
13 Aug 04 - Vendor released Version 1.0.3 R3 which fixes directory
traversal problem, but RETR and STOR commands are still vulnerable
13 Aug 04 - Notified vendor about RETR and STOR vulnerability (no reply)
30 Aug 04 - Second vendor notification about RETR and STOR vulnerability
10 Sep 04 - Vendor re-released Version 1.0.3 R3 which fixes RETR and
STOR commands.
12 Sep 04 - Public Release
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
SIG^2 G-TEC Software Vulnerability Research Project
http://www.security.org.sg/vuln/
"IT Security...the Gathering. By enthusiasts for enthusiasts."