Filezilla Vulnerability

Need help with FileZilla Server? Something does not work as expected? In this forum you may find an answer.

Moderator: Project members

Locked
Message
Author
FrozT2
500 Command not understood
Posts: 3
Joined: 2011-10-17 16:04
First name: Chad
Last name: Edmond

Filezilla Vulnerability

#1 Post by FrozT2 » 2011-10-17 16:10

I was performing a penetration test using Nessus on client with a FileZilla server and I got the following medium severity event:

FTP Service AUTH TLS Plaintext Command Injection

I instructed my client to upgrade their FileZilla server to the latest version and he did so. I then re-ran the test and it still failed with the exact same warning.

Is this a known issue or something that is being addressed?

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla Vulnerability

#2 Post by botg » 2011-10-17 18:09

Do you have any details on how this attack works?

As authentication is only done after the secure connection has been established and all previously received plaintext commands have been executed, I see no possible way to exploit this.

Things would be different if FileZilla Server would use TLS client certificates for authentication, but it does not.

FrozT2
500 Command not understood
Posts: 3
Joined: 2011-10-17 16:04
First name: Chad
Last name: Edmond

Re: Filezilla Vulnerability

#3 Post by FrozT2 » 2011-10-18 20:51

Plugin Output

Nessus sent the following two commands in a single packet :

AUTH TLS\r\nFEAT\r\n

And the server sent the following two responses :

234 Using authentication type TLS
211-Features:
MDTM
REST STREAM
SIZE
MODE Z
MLST type*;size*;modify*;
MLSD
AUTH SSL
AUTH TLS
UTF8
CLNT
MFMT
211 End

Description
The remote FTP server contains a software flaw in its AUTH TLS
implementation that could allow a remote unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase.

Successful exploitation could permit an attacker to modify files on
the FTP server and reveal a user's credentials.

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla Vulnerability

#4 Post by botg » 2011-10-19 06:07

Successful exploitation could permit an attacker to modify files on
the FTP server and reveal a user's credentials.
Where is that successful exploitation? The way I see it, there is no vulnerability, an attacker can at most execute those commands he could have executed by just connecting to the server himself without performing a TLS handshake. Utterly harmless.

I really don't like tools like Nessus, they cry wolf without actually verifying the problem. Just bunch of generic tests when instead they should have focused on specific tests for each individual FTP server software and manually verified the results.

FrozT2
500 Command not understood
Posts: 3
Joined: 2011-10-17 16:04
First name: Chad
Last name: Edmond

Re: Filezilla Vulnerability

#5 Post by FrozT2 » 2011-10-19 16:05

Generally when performing a penetration test on production systems we turn-off the check-box which would perform an actual attack as a courtesy to our clients. We don't actually want to destroy anything, just find the holes and plug them...

We can assume that FileZilla uses the same input buffer before and after the switch to TLS. This buffer should be discarded after the switch.

The following is specifically mentioned under re-authentication in RFC 2228:
http://tools.ietf.org/html/rfc2228
"The AUTH command, if accepted, removes any state associated with prior FTP Security commands."
In this case it's intention is to remove any state from one encrypted session to another (which should discard the previous input buffer), but I think it can be reasonably applied to the first AUTH command since the initial state was un-encrypted, and we moved to an encrypted state.

http://en.wikipedia.org/wiki/FTPS
Secure command channel
The secure command channel mode can be entered through the issue of either the AUTH TLS or AUTH SSL commands. After such time, all command control between the FTPS client and server are assumed to be encrypted. It is generally advised to enter such a state prior to user authentication and authorization in order to avoid the eavesdropping of user name and password data by third parties.


On May 24th 2011 Pure-FTP addressed this issue:
http://project.lxcenter.org/issues/546

April 1st 2011 ProFTP addressed the issue in version 1.3.3e
http://www.proftpd.org/docs/RELEASE_NOTES-1.3.3e

Additional reference:
http://www.securityfocus.com/archive/1/ ... 0/threaded

[edit]
P.S.
I see your point that this is a minor issue, and an attacker likely couldn't do anything they already could have done. But for the time being Nessus ranks this as 'Medium Severity' and my report must include this information because it includes copies of the scan. Maybe you could contact Nessus and have them downgrade the severity of the issue? But it might just be easier to patch it as others have done.

User avatar
botg
Site Admin
Posts: 32700
Joined: 2004-02-23 20:49
First name: Tim
Last name: Kosse
Contact:

Re: Filezilla Vulnerability

#6 Post by botg » 2011-10-19 19:21

I never said that I won't fix this issue, but unless proven otherwise, I do not consider it being a vulnerability that requires immediate attention. I've been aware of this class of attack since the original STARTTLS vulnerability in SMTP and its potential application towards FTP over TLS and don't think that this issue can be exploited in FileZilla Server.

However, if you can show me a concrete example how Mallory can exploit this bug to disclose information between Alice and FileZilla Server, I can guarantee you that a fixed version will be released within 24 hours.

jdelta
500 Command not understood
Posts: 1
Joined: 2020-03-24 16:31

Re: Filezilla Vulnerability

#7 Post by jdelta » 2020-03-24 16:35

"I was performing a penetration test using Nessus" -> Nessus is a vulnerability scanner. If you encounter an issue, and you cannot validate (read as "exploit") the issue, you are not only NOT performing a "penetration test", but also very possibly looking at a false positive.

User avatar
boco
Contributor
Posts: 24960
Joined: 2006-05-01 03:28
Location: Germany

Re: Filezilla Vulnerability

#8 Post by boco » 2020-03-24 17:06

Plus, if you don't mind the post dates, you are very possibly doing thread necromancy. Last post is from 2011!
### BEGIN SIGNATURE BLOCK ###
No support requests per PM! You will NOT get any reply!!!
FTP connection problems? Do yourself a favor and read Network Configuration.
FileZilla connection test: https://filezilla-project.org/conntest.php
### END SIGNATURE BLOCK ###

Locked