The os.execute() function in the lua interpreter can then be used for executing arbitrary system commands on the target host. In the case of Wing FTP on Windows the attacker is able to use os.execute() by supplying a specially crafted HTTP POST request or just access the web administrator panel. This part of the software can only be accessed by an authenticated administrator user. The vulnerable part of Wing FTP 4.3.8 is the embedded lua interpreter in the admin web interface. Wing FTP 4.3.8 Authenticated Command Execution Vulnerability More information can be found on the Wing FTP website. Some nice features I personally like about Wing FTP are the remote web based administration panel, the web based client, the virtual servers and of course the API’s. Wing FTP Server is actively maintained with regular monthly updates, the latest release is version 4.8.5 which was released in February 2017. The file server supports many protocols: FTP, FTPS(FTP with SSL), HTTP, HTTPS, and SFTP server. Wing FTP server is multi-protocol enterprise grade file server with a lot of features that runs on multiple platforms such as Windows, Linux, Mac OSX and Solaris. Before we are going to analyse and exploit this vulnerability we will first have a look at Wing FTP Server in general and its extensive list of features. Unauthenticated command execution vulnerabilities are way more dangerous as they reside in publicly accessible places and can be exploited by anyone without authentication. In this situation the vulnerability is still ‘protected’ by an authentication layer because the vulnerability resides in the administrator panel. Authenticated command execution vulnerabilities allow an authenticated attacker to execute arbitrary commands on the target system. In this tutorial we will be looking at how to exploit an authenticated command execution vulnerability in Wing FTP Server 4.3.8 and how to fix this security issue.
0 Comments
Leave a Reply. |