Before we are going to analyse and exploit this vulnerability we will first have a look at Wing FTP Server in general and its extensive list of features. Wing FTP server is multi-protocol enterprise grade file server with a lot of features that runs on multiple platforms such as Windows, Linux, Mac OSX and Solaris. The file server supports many protocols: FTP, FTPS(FTP with SSL), HTTP, HTTPS, and SFTP server. Wing FTP Server is actively maintained with regular monthly updates, the latest release is version 4.8.5 which was released in February 2017. Some nice features I personally like about Wing FTP are the remote web based administration panel, the web based client, the virtual servers and of course the API’s. Wing FTP 4.3.8 Authenticated Command Execution Vulnerability More information can be found on the Wing FTP website. The vulnerable part of Wing FTP 4.3.8 is the embedded lua interpreter in the admin web interface. This part of the software can only be accessed by an authenticated administrator user. In the case of Wing FTP on Windows the attacker is able to use os.execute() by supplying a specially crafted HTTP POST request or just access the web administrator panel. The os.execute() function in the lua interpreter can then be used for executing arbitrary system commands on the target host. When exploiting this vulnerability the executed commands will be in the context of the user running the vulnerable software. In the case of Wing FTP 4.3.8 on Windows the arbitrary commands are executed with system privileges as we will demonstrate in this tutorial.īefore we are able to execute commands we need to have admin credentials to log in to the administrator panel. There are many ways to get a hold of credentials for web applications, depending on how they are installed and accessed. There are many Examples of ways to retrieve credentials. One of them is through SQL injection when credentials are stored in a database. Another option is through local file inclusion when they are stored in files on the server. Let’s have a look first at how Wing FTP version 4.3.8 stores administrator credentials. Then we’ll have a look at how we can manually execute system commands using the lua interpreter in the administrator panel. Wing FTP server admin credentialsĪs already explained earlier we need to have admin credentials in order to exploit the authenticated command execution vulnerability in the administrator panel.įinally we will demonstrate how to exploit this vulnerability using Metasploit. The admins.xml file can be found in the following location:Ĭ:\Program Files\Wing FTP Server\Data\_ADMINISTRATOR After installing the demo version on a local system we found out that a file named admins.xml contains the hashed administrator password. This is where we can exploit the vulnerability to execute system commands with system privileges. The console uses the lua scripting language which is an embeddable scripting language that can be found in many software programs. When you type the ‘help’ command on the console you will be presented with a list of commands that you can use to control the Wing FTP server. You will also notice that executing system commands is not one of the options. Let’s have a look at how to execute the system commands manually. The vulnerability description mentions that we can execute system commands using the os.execute() function. Let’s try to use this function to create a new user named hacker on the Windows system and add it to the local administrator group. Use the following commands on the lua command line to add a user named ‘hacker’ with password ‘hacker’: #Wing ftp server windows# Root shell on the target host by exploiting Wing FTP Server 4.3.8 Os.execute(‘cmd.exe /c net localgroup administrators hacker /add’) Then add it to the local administrator group with the following command: Os.execute(‘cmd.exe /c net user hacker hacker /add’) #Wing ftp server password# Also check your backgrounded sessions after each attempt with the following command: Please note that sometimes you will not directly get a shell and you have to run the exploit again. The developers of Wing FTP server are actively maintaining the software and improving security. The authenticated command execution vulnerability has been fixed in versions later than 4.3.8 and updating to a later version will fix this issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |