![]() Finally, using Metasploit, we can show how to exploit this flaw. We'll then take a look at how we can use the lua interpreter in the administrator panel to manually execute system commands. Using CWE to declare the problem leads to CWE-352. The manipulation with an unknown input leads to a cross-site request forgery vulnerability. This issue affects some unknown functionality. Let's take a look first at how administrator credentials are stored by Wing FTP version 4.3.8. A vulnerability was found in Wing FTP Server up to 4.4.6 (File Transfer Software). Another choice is to use local data while they are saved in the server's data. One of them is when credentials are stored in a database through SQL injection. ![]() Many samples of ways to recover passwords are available. ![]() Depending about how they are built and used, there are several options to get a hold of web application credentials. In the case of Wing FTP 4.3.8 on Windows, device rights are executed with arbitrary ordersī)We need to have admin keys to log into the admin panel before we can execute orders. The executed commands would be located in the background of the user running the insecure program while exploiting this vulnerability. In the lua parser, the os.execute) (function will then be used for executing arbitrary device commands on the target host. The intruder is able to use os.execute) (in the case of Wing FTP on Windows by providing a specially designed HTTP POST request or just accessing the Web Administrator screen. Only an Authorized Administrator user may access this section of the program. Bottom line is that something causes the WingFTP software to become unresponsive, killing availability until my workaround fixes it.□Wing FTP 4.3.8 Authenticated Command Execution Vulnerability :Ī) The embedded lua interpreter in the admin web interface is the insecure component of Wing FTP 4.3.8. # OK, server is not listening restart itĮcho "Subject: wftpserver service restart at $RUNTIME" > $LOGFILEĮcho "Listener error detected at $RUNTIME" > $LOGFILEĮcho "Unplanned restart of service occurred." > $LOGFILEĮcho "System may be restarted manually at command line:" > $LOGFILEĮcho " /etc/init.d/wftpserver restart " > $LOGFILE usr/bin/lynx -dump " rel="nofollow" rel="nofollow" rel="nofollow" rel="nofollow | egrep 'The web client requires' > $TESTFILE2 Change Mirror Download Exploit Title: Wing FTP Server 4.3.8 - Remote Code Execution (RCE) (Authenticated) Date: Exploit Author: notcos Credit: Credit goes to the initial discoverer of this exploit, Alex Haynes. # we do expect to see the complaining message about requiring Javascript. Wing FTP Server 4.3.8 Remote Code Execution. Since we are doing this from command line / lynx, # check one more thing, to see if wftpserver is running, we'll check the # test the checkfile to see if it is bigger than 0 bytes Tail -10 $LOGDIR/$LASTLOG | egrep 'SSH initialize error|An error arose on' > $TESTFILE # check for error messages which indicates server not responsive LASTLOG=`ls -lrt $LOGDIR | tail -1 | awk ` TESTFILE2=$PROCESSDIR/wingftpmonitor.tst2 # uncomment for monitoring script resultsįAILLOG=$PROCESSDIR/wingftpmonitor.faillog (I replaced my real domain name with to protect our anonymity: To combat this, I built a Linux shell script to run every 5 minutes, and if it detects this state it will restart the server. Tue, 09:34:34 An error arose on http port 443 (error code:24). ![]() What shows in the "official" logs are LOTS of entries like this: 4.3 4.3 out of 5 stars 328 ratingsTo overcome this common catch-22, you. Is anyone still having this error? We do, and here is the frequency (according to a log that I built starting in September 2012): Server Racks & Spot Cooling - Self-Contained AC Unit, 12,000 BTU.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |