![]() A fully working proof-of-concept has been developed and will be published at a later date. This level of privilege is sufficient to then add a new WS_FTP system administrator user which can create an FTP SITE command that is run as SYSTEM, resulting in code execution as the SYSTEM user. ![]() By uploading a malicious DLL file, which is loaded by an IIS worker process used for the WS_FTP administrative interface approximately once every hour, we can obtain NETWORK SERVICE privilege. This vulnerability can be further leveraged to obtain remote code execution as the SYSTEM user without requiring a reboot. Note that the file is owned by an administrative user, demonstrating that this vulnerability allows files to be written anywhere on the filesystem. 02:00 PM 5 BUILTIN\Administrators test.txt The file is present on the server: C:\>dir /q test.txt This is demonstrated below by creating the file “c:\test.txt” using SCP, assuming that an attacker has valid credentials for “user1” and the WS_FTP server is listening on host 192.168.194.138.Įxploitation: $ echo test > \\.\\.\\.\\.\\.\\.\\.\\.\\test.txt ![]() This allows an authenticated attacker to write files to arbitrary locations on the filesystem with SYSTEM permissions, even when the “Lock User To Home Directory” option is selected. The WS_FTP server SCP listener does not adequately validate that supplied filenames do not contain path traversal characters. CVE-2019-12144: Arbitrary File Write as SYSTEM via Path Traversal These vulnerabilities all require valid user credentials and only affect the SCP protocol.Īon would like to thank Ipswitch for working with Aon’s Cyber Labs under our coordinated disclosure process to quickly remediate these vulnerabilities.Ġ4/05/19 – Vulnerabilities disclosed, receipt acknowledgedĠ5/29/19 – Version 8.6.1 released containing fixes for all issues
0 Comments
Leave a Reply. |