Introduction to the CompleteFTP Vulnerability
CompleteFTP is a suite of FTP and SSH tools for Windows developed by EnterpriseDT. The server has functionality for remote and local administration which, due to information leakage in a log file, can be abused by an attacker to hijack the administrative account. Once in, the attacker can use built-in, trigger-based code execution functionality to run arbitrary code with SYSTEM privileges leading to privilege escalation on a local Windows account. In this blog post, I’ll be walking through the discovery and exploitation process.
Finding the Information Leakage
Finding this vulnerability was a relatively straightforward process. The only thing needed was read access to the program installation directory which, by default, is granted to all Windows users. I began going through the main directory looking for log and configuration files which led me to the “Bootstrapper.log” file in the “Server” subdirectory (by default “C:\Program Files (x86)\Complete FTP\Server\Bootstrapper.log”).
Examining this, it became clear that the log was created during the initial installation of the program. This became particularly interesting as I recalled the installer prompting me to create an administrator password during the install process.
The installer prompting to create an admin password.
Investigating the Logs
Looking around, I first discovered a log of SQL statements that contained the administrator’s MD5 password hash. While this could certainly be useful, I would be unable to exploit this if the admin used a sufficiently strong password. As a result, I continued looking for more useful information in the log file.
Eventually, near the end of the log file, I discovered a very interesting command that the installer executed after install. This command called the “CompleteFTPManager.exe” program in the “Manager” subdirectory of the server main directory and supplied a few arguments, two of which appeared to be credentials for the admin user account. The plaintext password was not revealed but rather an encrypted passphrase which, it turned out, was just as good.
Hijacking the Admin Account
From here, the rest of the exploitation chain became trivial. First, I ran the manager program as a local Windows admin and saw that the CompleteFTP Server admin credentials were stored. I cleared them out and unchecked the “save password” box. I then switched over to a local standard user account with no admin privileges or CompleteFTP user account. I opened command prompt and ran the exact command that was listed in the “Bootstrapper.log” file.
CompleteFTPManager.exe localhost 14983 "admin" r48rE+/Pg0jmSXnomoGTqfwtasKuhJ16 SFTP
Running the log file command as a standard, low-privileged Windows user.
Gaining Access to the “Manager” Interface
The command appeared to run successfully, although it was not immediately clear what, if anything, had actually happened. However, when I opened the manager tool again, I discovered that the admin account credentials had been autofilled, thus allowing me to instantly log in to the management interface with full rights of the server administrator.
This was made possible by the inclusion of the private passphrase as a command line argument and copying and pasting the command shown in the log file. With this method, the passphrase does not even need to be cracked.
CompleteFTP Manager login before running the command.
The manager login screen after running the command.
Escalating the Attack
While having access to the admin account for the server was great by itself, the vulnerability became much more dangerous because of two factors. First, the CompleteFTP server runs by default with SYSTEM privileges. Second, the built-in functionality called “Process Triggers” allowed the admin user to run arbitrary code based on specific events such as the server starting, a user logging in, and more.
Code Execution
There were multiple options for code execution, including running an external binary or directly inputting a PowerShell or Batch script. For testing purposes, I used the Batch scripting option to have the server add my user to the Windows “Administrators” group triggered by a user logging in to the FTP server.
I then logged in to the FTP server using a test account (which I was able to create with my new CompleteFTP admin access) and found that the script had executed, thus making my previously low-privileged Windows user an Administrator. Note that for this particular method, this is triggered by any user logging in to the FTP server, not just the target account.
Creating a process trigger to execute a Batch script on user login.
Logging in to the FTP server to trigger the malicious script.
The process trigger fired thus adding my user to the “Administrators” group.
Conclusion
With default configuration of the CompleteFTP server, this vulnerability constitutes a local privilege escalation. However, if permissions are configured such that a user is granted read access to the program installation directory (this is not default), then the vulnerability could also be exploited remotely. This is because the attacker only needs a “CompleteFTPManager.exe” binary on their remote system to be able to access the management interface via IP address and port number.
The simplest mitigation to protect against this vulnerability is to upgrade to the latest version of CompleteFTP Server. Version 12.1.3 contains a patch addressing the issue and as such, versions 12.1.2 and below are considered vulnerable. A proof-of-concept exploit for this vulnerability can be found in our GitHub repository.
Disclosure Timeline
September 3, 2019 – Reported to EnterpriseDT and acknowledged
September 9, 2019 – CompleteFTP Server patch 12.1.3 released
September 9, 2019 – CVE-2019-16116 assigned
October 1, 2019 – Rhino Security Labs’ public release