The admins.xml file can be found in the following location:Ĭ:\Program Files\Wing FTP Server\Data\_ADMINISTRATOR After installing the demo version on a local system we found out that a file named admins.xml contains the hashed administrator password. Wing FTP server admin credentialsĪs already explained earlier we need to have admin credentials in order to exploit the authenticated command execution vulnerability in the administrator panel. Finally we will demonstrate how to exploit this vulnerability using Metasploit. Then we’ll have a look at how we can manually execute system commands using the lua interpreter in the administrator panel. Let’s have a look first at how Wing FTP version 4.3.8 stores administrator credentials. Another option is through local file inclusion when they are stored in files on the server. One of them is through SQL injection when credentials are stored in a database. There are many Examples of ways to retrieve credentials. There are many ways to get a hold of credentials for web applications, depending on how they are installed and accessed. In the case of Wing FTP 4.3.8 on Windows the arbitrary commands are executed with system privileges as we will demonstrate in this tutorial.īefore we are able to execute commands we need to have admin credentials to log in to the administrator panel. When exploiting this vulnerability the executed commands will be in the context of the user running the vulnerable software. The os.execute() function in the lua interpreter can then be used for executing arbitrary system commands on the target host. In the case of Wing FTP on Windows the attacker is able to use os.execute() by supplying a specially crafted HTTP POST request or just access the web administrator panel. This part of the software can only be accessed by an authenticated administrator user. The vulnerable part of Wing FTP 4.3.8 is the embedded lua interpreter in the admin web interface. Wing FTP 4.3.8 Authenticated Command Execution Vulnerability More information can be found on the Wing FTP website. Some nice features I personally like about Wing FTP are the remote web based administration panel, the web based client, the virtual servers and of course the API’s. Wing FTP Server is actively maintained with regular monthly updates, the latest release is version 4.8.5 which was released in February 2017. The file server supports many protocols: FTP, FTPS(FTP with SSL), HTTP, HTTPS, and SFTP server. Wing FTP server is multi-protocol enterprise grade file server with a lot of features that runs on multiple platforms such as Windows, Linux, Mac OSX and Solaris. Before we are going to analyse and exploit this vulnerability we will first have a look at Wing FTP Server in general and its extensive list of features. Unauthenticated command execution vulnerabilities are way more dangerous as they reside in publicly accessible places and can be exploited by anyone without authentication. In this situation the vulnerability is still ‘protected’ by an authentication layer because the vulnerability resides in the administrator panel. Authenticated command execution vulnerabilities allow an authenticated attacker to execute arbitrary commands on the target system. In this tutorial we will be looking at how to exploit an authenticated command execution vulnerability in Wing FTP Server 4.3.8 and how to fix this security issue.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |