Analysis of Vulnerabilities in UFTPD Before Version 2.11

Hi guys, this time I want to share a final project a course that I took back in Fall 2020 semester.

TL;DR

  • UFTPD is an open-source FTP/TFTP server developed by Joanchim Wiberg. The developer designed UFTPD as a simple FTP/TFTP server that “just work!!” without bloating it with many features that are not required or generally used by the users.
  • At the time of this project was conducted, there were three Common Vulnerability Enumeration (CVE) assigned for UFTPD before version 2.11, with all of them have HIGH severity based on CVSS 3.1 scoring.
  • In this project, I mostly explored the Directory Traversal vulnerabilities founded in the affected version and demonstrate how that vulnerability, under some circumstances, can be exploited to compromised the host machine by gaining Remote Code Execution (RCE).

UFTPD

As mentioned above, UFTPD is an open-source FTP/TFTP server developed by Joanchim Wiberg and can be freely downloaded from its project repository https://github.com/troglobit/uftpd and the developer’s website https://troglobit.com/projects/uftpd/. UFTPD has features:

  • FTP and/or TFTP
  • No complex configuration files
  • Runs from standard UNIX inetd, or standalone
  • Uses ftp user’s $HOME, from /etc/passwd, or custom path
  • Uses ftp/tcp and tftp/udp from /etc/services, or custom ports
  • Privilege separation, drops root privileges having bound to ports
  • Possible to use symlinks outside of the FTP home directory
  • Possible to have group writable FTP home directory

Vulnerabilities in UFTPD before 2.11

The developer claims that UFTPD is targeting at users in need of a simple FTP/TFTP server and primarily not targeted at secure installation. Listed below are vulnerabilities founded as of December 2020 in UFTPD before version 2.11. Note: All listed vulnerabilities were discovered by arinerron.

CVE-2020-14149 (CVSS 3.1 Score: 7.5 HIGH)

In UFTPD before 2.12, handle_CWD in ftpcmd.c mishandled the path provided by the user, causing a NULL pointer dereference and denial of service, as demonstrated by a CWD /.. command.

CVE-2020-5221 (CVSS 3.1 Score: 7.2 HIGH)

In UFTPD before 2.11, it is possible for an unauthenticated user to perform a directory traversal attack using multiple different FTP commands and read and write to arbitrary locations on the filesystem due to the lack of a well-written chroot jail in compose_abspath(). This has been fixed in version 2.11

CVE-2020-5204 (CVSS 3.1 Score: 8.8 HIGH)

In UFTPD before 2.11, there is a buffer overflow vulnerability in handle_PORT in ftpcmd.c that is caused by a buffer that is 16 bytes large being filled via sprintf() with user input based on the format specifier string %d.%d.%d.%d. The 16 byte size is correct for valid IPv4 addresses (len('255.255.255.255') == 16), but the format specifier %d allows more than 3 digits. This has been fixed in version 2.11.

Full Report/Lab Documentation

Because the report is pretty long, I attached the PDF file for you who are interested to read more. FULL REPORT