[vuln.sg] UltraEdit FTP/SFTP Browser Directory Traversal Vulnerability

A vulnerability has been found within the FTP/SFTP browser in UltraEdit. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.

This advisory discloses a vulnerability within the FTP/SFTP browser in UltraEdit. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a user's system.

The FTP client does not properly sanitise filenames containing directory traversal sequences (backslash and forward-slash) that are received from an FTP server in response to the LIST command when the user downloads an entire directory.

Response to LIST (backslash):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 \..\..\..\..\..\..\..\..\..\testfile.txt\r\n

Response to LIST (forward-slash):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n

Response to LIST (combination):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 ../..\/..\/..\/../..\/../..\/../testfile.txt\r\n

By tricking a user to download a directory from a malicious FTP server that contains files with directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.

Instructions for testing FTP client:

Unzip the POC file into a directory. This gives UltraEditPOC.exe, UltraEditPOC-forward.exe, and UltraEditPOC-combination.exe.

UltraEditPOC.exe is a POC FTP server that will send filenames with backslash directory traversal characters in response to LIST commands.
UltraEditPOC-forward.exe is a POC FTP server that will send filenames with forward-slash directory traversal characters in response to LIST commands.
UltraEditPOC-combination.exe is a POC FTP server that will send filenames with both backslash and forward-slash directory traversal characters in response to LIST commands.

Go to the command prompt and run one of the POC FTP server on a system. It will listen on FTP Port 21.

IMPORTANT: Ensure that the UltraEdit FTP/SFTP browser is configured to use Passive mode. The POC FTP server only supports Passive mode.
Use UltraEdit's FTP/SFTP browser to connect to the POC FTP server. You can use any username/password.
You'll see a directory named /testdir on the POC FTP server (see below).

If you traverse into that directory you'll see a file (testfile.txt) with directory traversal characters in its filename (see below).

Now, if you attempt to download the /testdir directory into C:\aaaa\bbbb\cccc\etc, you'll notice that testfile.txt will be written into C:\ instead of into C:\aaaa\bbbb\cccc\etc\testdir\testfile.txt.

Hence, by tricking a user to download a directory from a malicious FTP server, an attacker can potentially leverage this issue to write files into a user's Startup folder and execute arbitrary code when the user logs on.

2008-06-08 - Vulnerability Discovered.
2008-06-08 - Vulnerability details and POC sent to vendor.
2008-06-09 - Initial Vendor Reply.
2008-06-10 - Received hotfix from vendor for testing.
2008-06-10 - Informed vendor that the hotfix fixes the vulnerability.
2008-06-16 - Received reply from vendor that the hotfix for version 14.00b was published on 2008-06-13.
2008-06-17 - Public Release.
2008-07-02 - Tested version 14.10 and found that the vulnerability was fixed in this version.