Oct 11, 2024 12:28:45 PM | Disclosures TitanFTP Vulnerability Disclosure

White Oak Security discovered multiple vulnerabilities in the TitanFTP NextGen server owned by South River Technologies. TitanFTP NextGen is a FTP/SFTP server utilized to manage file transfers and includes a […]

titanFTP vulnerability disclosure screenshot by White Oak Security

White Oak Security discovered multiple vulnerabilities in the TitanFTP NextGen server owned by South River Technologies. TitanFTP NextGen is a FTP/SFTP server utilized to manage file transfers and includes a Web Server to facilitate file transfers. The vulnerabilities found include:

  • Vertical Privilege Escalation leading to Remote Code Execution
  • Multiple instances of Directory Traversal leading to File Inclusion

Disclosure Timeline

Before we dive into the vulnerability details, we want to give our thanks to the South River Technologies team for their communication throughout the vulnerability disclosure process. They provided a disclosure form, quick responses, and published a fix within two weeks of initial disclosure.

White Oak Security followed responsible disclosure guidelines by giving TitanFTP time to remediate this vulnerability and allow customers ample time to patch their instances.

2/10/23: Attempted to contact the vendor via online support ticket.

2/10/23: Submitted vulnerability disclosure form with details of the Directory Traversal and Vertical Privilege Escalation vulnerabilities.

2/10/23: Received a request from South River Technologies for additional details.

2/10/23: Submitted additional details to South River Technologies.

2/17/23: South River Technologies forwarded the report White Oak Security supplied on the vulnerabilities to the TitanFTP Next Gen development team.

2/28/23: South River Technologies informed White Oak Security that the vulnerabilities have been fixed.

6/1/23: White Oak Security publicly discloses the finding according to our vulnerability disclosure policy.

Analysis: Local File Inclusion (LFI)

Instance #1: Copy Files

An authenticated TitanFTP user has the ability to create folders and files as well as copy files from one folder to another. When attempting to copy a file from one folder to another, the parameter “CopyFromFullPath” is utilized by the API. This value can be modified to contain a full path value to point to arbitrary files as seen below:

screenshot by White Oak Security shows authenticated TitanFTP user has the ability to create folders and files as well as copy files from one folder to another. When attempting to copy a file from one folder to another, the parameter “CopyFromFullPath” is utilized by the API. This value can be modified to contain a full path value to point to arbitrary files

The response from the server indicates success:

screenshot by White Oak Security shows the response code here

The file can now be observed in the GUI:

file can be used in TitanFTP seen here in this screenshot by White Oak Security

Now that the file has been established inside the TitanFTP users folder the contents can be downloaded and observed:

TitanFTP shows the users in the code screenshot by White Oak Security

Instance #2: Admin Server Log Export

TitanFTP also exposes an administration server which is served on port 41443. The log functionality can be abused to conduct directory traversal attacks and retrieve arbitrary files from the server. In this case, the “fileList” parameter value can be modified with a full path to any file on the server:

filelist parameter is being modified in this screenshot by White Oak Security

The server responds with the file requested:

server is responding to filelist screenshot by White Oak Security

Instance #3: Admin Server Report Export

Additionally, on the admin server, the report export function can be abused to conduct directory traversal attacks and retrieve arbitrary files from the server. In this case, the “Name” parameter value can be modified with a full path to any file on the server:

name parameter code request screenshot by White Oak Security

The server responds with the file content:

screenshot by White Oak Security shows the server response

Analysis: Vertical Privilege Escalation Vulnerability

White Oak Security observed a vertical privilege escalation vulnerability within the user web server (ports 80/443) where local users can perform actions typically reserved for administrative users. To demonstrate the severity of this issue, White Oak Security authenticated into the application as a low-privilege user (note the lack of admin capabilities in the left side panel):

titanFTP shows the privilege esculation in this screenshot by White Oak Security

Next, White Oak Security crafted a request that is typically reserved for administrative users: Executing an action (such as an external job). In this example, White Oak Security executed the external program “calc.exe” from the low-privilege user context which successfully spawned the process on the application server:

calc.exec request screenshot by White Oak Security

A successful response from the server indicating the process was spawned successfully:

a successful response from the server screenshot by White Oak Security

On the application server, the process executed successfully as the privileged NT AUTHORITY/SYSTEM user. This vulnerability could be leveraged to spawn an interactive shell on the system as the SYSTEM user.

on the app server its been executed successfully screenshot by White Oak Security

TitanFTP Conclusion

The South River Technologies’ TitanFTP team provided an exemplary response to this responsible vulnerability disclosure. They provided timely communication, a secure method for sharing vulnerability details, and a quick code update to fix the vulnerability. This type of response and collaboration with security researchers is a prime example of caring for your clients and the security of their data. 

 

Written By: Michael Rand, Jeffrey Green, & Brett DeWall