There exists a race condition for commands which creates a new thread to handle while using context->FileName, examples such as RETR, MLSD.
Steps to reproduce:
login using a username such as anonymous
using PASV to make it passive mode
send RETR command with a existing file, to create the handler thread. Since it's passive mode, the handler thread would block there waiting for data socket connection.
send USER command to overwrite context->FileName.
Connect the data socket, then the handler thread would use the overwritten context->FileName which could cause path traversal or other security issues.
This is used to create a real-world style challenge in Real World CTF 5th which just ended, sorry for notifying here a bit late.
The text was updated successfully, but these errors were encountered:
Hi,
There exists a race condition for commands which creates a new thread to handle while using context->FileName, examples such as
RETR,MLSD.Steps to reproduce:
anonymousPASVto make it passive modeRETRcommand with a existing file, to create the handler thread. Since it's passive mode, the handler thread would block there waiting for data socket connection.USERcommand to overwritecontext->FileName.context->FileNamewhich could cause path traversal or other security issues.This is used to create a real-world style challenge in Real World CTF 5th which just ended, sorry for notifying here a bit late.
The text was updated successfully, but these errors were encountered: