vuln.sg  SS-Alek-v-017.7z.003

vuln.sg Vulnerability Research Advisory

AceFTP FTP-Client Directory Traversal Vulnerability

by Tan Chew Keong
Release Date: 2008-06-27

SS-Alek-v-017.7z.003   [en] [jp]

SS-Alek-v-017.7z.003 Summary

A vulnerability has been found within the FTP client in AceFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.


SS-Alek-v-017.7z.003 Tested Versions


SS-Alek-v-017.7z.003 Details

This advisory discloses a vulnerability within the FTP client in AceFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.

The FTP client does not properly sanitise filenames containing directory traversal sequences (forward-slash) that are received from an FTP server in response to the LIST command.

An example of such a response from a malicious FTP server is shown below. 


Response to LIST (forward-slash):

-rw-r--r--    1 ftp      ftp            20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n
 

By tricking a user to download a directory from a malicious FTP server that contains files with fowward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Windows Startup folder and execute arbitrary code when the user logs on.


SS-Alek-v-017.7z.003 POC / Test Code

Please download the POC here and follow the instructions below.

Ss-alek-v-017.7z.003 Review

: Once extracted, identify the file types inside (e.g., CSV, JSON, LOG). If the data is structured, you might use tools like Excel for basic reporting or Tableau for visualization. Structure the Report :

: This uses the 7z format, known for high compression ratios. You will need a utility like 7-Zip (Windows) or Keka (macOS) to process it. SS-Alek-v-017.7z.003

: While this name doesn't correspond to a known public dataset in general search results, "SS" often denotes "Sample Set" or "System Snapshot" in technical documentation, and "Alek" is likely a project-specific identifier or username. Steps to Generate Your Report : Once extracted, identify the file types inside (e

The filename indicates that this is the third part of a multi-volume compressed archive created using 7-Zip . To "develop a report" or access the data within, you must first verify that you have all the necessary parts and extract them correctly. Technical Assessment of the File You will need a utility like 7-Zip (Windows)

: Note that the data was extracted from a multi-part 7z archive. Findings : The actual analysis of the extracted files.

: Ensure all parts of the sequence (001, 002, 003, etc.) are in a single directory. Open the .001 file with your extraction tool; it will automatically pull data from the subsequent parts.


SS-Alek-v-017.7z.003 Patch / Workaround

Avoid downloading files/directories from untrusted FTP servers.


SS-Alek-v-017.7z.003 Disclosure Timeline

2008-06-15 - Vulnerability Discovered.
2008-06-16 - Vulnerability Details Sent to Vendor via online support form (no reply).
2008-06-18 - Vulnerability Details Sent to Vendor again via online support form (no reply).
2008-06-25 - Vulnerability Details Sent to Vendor again via online support form (no reply).
2008-06-27 - Public Release.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to