Page 1 of 1

Filezilla Vulnerability

Posted: 2011-10-17 16:10
by FrozT2
I was performing a penetration test using Nessus on client with a FileZilla server and I got the following medium severity event:

FTP Service AUTH TLS Plaintext Command Injection

I instructed my client to upgrade their FileZilla server to the latest version and he did so. I then re-ran the test and it still failed with the exact same warning.

Is this a known issue or something that is being addressed?

Re: Filezilla Vulnerability

Posted: 2011-10-17 18:09
by botg
Do you have any details on how this attack works?

As authentication is only done after the secure connection has been established and all previously received plaintext commands have been executed, I see no possible way to exploit this.

Things would be different if FileZilla Server would use TLS client certificates for authentication, but it does not.

Re: Filezilla Vulnerability

Posted: 2011-10-18 20:51
by FrozT2
Plugin Output

Nessus sent the following two commands in a single packet :


And the server sent the following two responses :

234 Using authentication type TLS
MLST type*;size*;modify*;
211 End

The remote FTP server contains a software flaw in its AUTH TLS
implementation that could allow a remote unauthenticated attacker to
inject commands during the plaintext protocol phase that will be
executed during the ciphertext protocol phase.

Successful exploitation could permit an attacker to modify files on
the FTP server and reveal a user's credentials.

Re: Filezilla Vulnerability

Posted: 2011-10-19 06:07
by botg
Successful exploitation could permit an attacker to modify files on
the FTP server and reveal a user's credentials.
Where is that successful exploitation? The way I see it, there is no vulnerability, an attacker can at most execute those commands he could have executed by just connecting to the server himself without performing a TLS handshake. Utterly harmless.

I really don't like tools like Nessus, they cry wolf without actually verifying the problem. Just bunch of generic tests when instead they should have focused on specific tests for each individual FTP server software and manually verified the results.

Re: Filezilla Vulnerability

Posted: 2011-10-19 16:05
by FrozT2
Generally when performing a penetration test on production systems we turn-off the check-box which would perform an actual attack as a courtesy to our clients. We don't actually want to destroy anything, just find the holes and plug them...

We can assume that FileZilla uses the same input buffer before and after the switch to TLS. This buffer should be discarded after the switch.

The following is specifically mentioned under re-authentication in RFC 2228:
"The AUTH command, if accepted, removes any state associated with prior FTP Security commands."
In this case it's intention is to remove any state from one encrypted session to another (which should discard the previous input buffer), but I think it can be reasonably applied to the first AUTH command since the initial state was un-encrypted, and we moved to an encrypted state.
Secure command channel
The secure command channel mode can be entered through the issue of either the AUTH TLS or AUTH SSL commands. After such time, all command control between the FTPS client and server are assumed to be encrypted. It is generally advised to enter such a state prior to user authentication and authorization in order to avoid the eavesdropping of user name and password data by third parties.

On May 24th 2011 Pure-FTP addressed this issue:

April 1st 2011 ProFTP addressed the issue in version 1.3.3e

Additional reference: ... 0/threaded

I see your point that this is a minor issue, and an attacker likely couldn't do anything they already could have done. But for the time being Nessus ranks this as 'Medium Severity' and my report must include this information because it includes copies of the scan. Maybe you could contact Nessus and have them downgrade the severity of the issue? But it might just be easier to patch it as others have done.

Re: Filezilla Vulnerability

Posted: 2011-10-19 19:21
by botg
I never said that I won't fix this issue, but unless proven otherwise, I do not consider it being a vulnerability that requires immediate attention. I've been aware of this class of attack since the original STARTTLS vulnerability in SMTP and its potential application towards FTP over TLS and don't think that this issue can be exploited in FileZilla Server.

However, if you can show me a concrete example how Mallory can exploit this bug to disclose information between Alice and FileZilla Server, I can guarantee you that a fixed version will be released within 24 hours.

Re: Filezilla Vulnerability

Posted: 2020-03-24 16:35
by jdelta
"I was performing a penetration test using Nessus" -> Nessus is a vulnerability scanner. If you encounter an issue, and you cannot validate (read as "exploit") the issue, you are not only NOT performing a "penetration test", but also very possibly looking at a false positive.

Re: Filezilla Vulnerability

Posted: 2020-03-24 17:06
by boco
Plus, if you don't mind the post dates, you are very possibly doing thread necromancy. Last post is from 2011!