SIG^2 Vulnerability Research Advisory
 
Directory Traversal Vulnerability in TwinFTP Server allows overwriting 
of files outside FTP directory
 
by Tan Chew Keong
Release Date: 12 Sept 2004
 
 
ADVISORY URL
 
http://www.security.org.sg/vuln/twinftp103r2.html
 
 
SUMMARY
 
TwinFTP Server (http://www.twinftp.com/) is a FTP server released by 
Jigunet Corporation for the Windows platform. A vulnerability exists in 
TwinFTP server that allows a malicious user access to files outside the 
FTP directory. This vulnerability may also be exploited to bypass 
directory restrictions enforced by the FTP server to write arbitrary 
files into directories that the server process has access to.
 
 
TESTED SYSTEM
 
TwinFTP Server Standard 1.0.3 R2 (Win32) on English WinXP SP1.
TwinFTP Server Enterprise 1.0.3 R2 (Win32) on English Win2K SP2.
 
 
DETAILS
 
A directory traversal vulnerability exists in several FTP commands of 
TwinFTP that may be exploited by a malicious user to access files 
outside the FTP directory. The problem lies with the incorrect filtering 
of directory name supplied to CWD, STOR and RETR commands. Directory 
traversal is possible when the directory name contains three dots and a 
forward slash, e.g. ".../winnt".
 
This vulnerability may be exploited to bypass directory restrictions 
enforced by the FTP server to write arbitrary files into directories 
that the server process has access to. This is critical since it may be 
abused by malicious users to overwrite system files within the Windows 
directory if the TwinFTP server runs with Administrator privilege.
 
 
PATCH
 
Upgrade to Version 1.0.3 R3 that is released on 10 Sep 2004. Version 
1.0.3 R3 released before 10 Sep 2004 is vulnerable.
 
 
DISCLOSURE TIMELINE
 
02 Aug 04 - Vulnerability Discovered
04 Aug 04 - Initial Vendor Notification (no reply)
09 Aug 04 - Second Vendor Notification
13 Aug 04 - Vendor released Version 1.0.3 R3 which fixes directory 
traversal problem, but RETR and STOR commands are still vulnerable
13 Aug 04 - Notified vendor about RETR and STOR vulnerability (no reply)
30 Aug 04 - Second vendor notification about RETR and STOR vulnerability
10 Sep 04 - Vendor re-released Version 1.0.3 R3 which fixes RETR and 
STOR commands.
12 Sep 04 - Public Release
 
 
GREETINGS
 
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
 
SIG^2 G-TEC Software Vulnerability Research Project
http://www.security.org.sg/vuln/
 
"IT Security...the Gathering. By enthusiasts for enthusiasts."