Description: This vulnerability allows Remote Command Execution with SYSTEM privileges for any authenticated user with a Windows local or domain account on the target host. The is possible because of the "exec" command available in via SSH which always executes as SYSTEM regardless of the privileges of the logged in user. CompleteFTP Server versions prior to 12.1.4 are vulnerable to this attack by any level of Windows user. As of version 12.1.4, the "exec" command limited to Windows Administrator accounts.
Versions Affected: < 12.1.4
Researcher: Robert Fisher (https://twitter.com/be0vlk @be0vlk)
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16864
Vendor Disclosure: https://enterprisedt.com/products/completeftp/doc/guide/html/history.html
The attacker needs an account on the target system with SSH enabled. Exploitation is as simple as logging in and using the "exec" command to execute any arbitrary command as SYSTEM.
You must have the Paramiko library for Python installed. Run the exploit from the attacking machine using arguments as follows:
python cve-2019-16864.py 192.168.1.1 username password
