Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Race Condition for FTP commands for which a new handler thread is created while using FileName variable #25

Closed
zTrix opened this issue Jan 8, 2023 · 3 comments
Assignees
Labels

Comments

@zTrix
Copy link

zTrix commented Jan 8, 2023

Hi,

There exists a race condition for commands which creates a new thread to handle while using context->FileName, examples such as RETR, MLSD.

Steps to reproduce:

  1. login using a username such as anonymous
  2. using PASV to make it passive mode
  3. send RETR command with a existing file, to create the handler thread. Since it's passive mode, the handler thread would block there waiting for data socket connection.
  4. send USER command to overwrite context->FileName.
  5. Connect the data socket, then the handler thread would use the overwritten context->FileName which could cause path traversal or other security issues.

This is used to create a real-world style challenge in Real World CTF 5th which just ended, sorry for notifying here a bit late.

@UldisRinkevichs
Copy link
Collaborator

Thank you for information. This is interesting and serious bug that will be fixed in upcoming update.

UldisRinkevichs added a commit that referenced this issue Jan 29, 2023
@hfiref0x
Copy link
Owner

hfiref0x commented Feb 4, 2023

@zTrix

Hello,

let us know if you are willing to add anything else to your initial post. If not, then the proposed fix will be released shortly as 2.3 version.

@zTrix
Copy link
Author

zTrix commented Feb 4, 2023

Thanks for asking. I have nothing more to add.

@hfiref0x hfiref0x closed this as completed Feb 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants