| vuln.sg Vulnerability Research Advisory |
by Tan Chew Keong 
Summary
A vulnerability has been found within the FTP client in AceFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system.
Tested Versions
Details
This advisory discloses a vulnerability within the FTP client in AceFTP. When exploited, this vulnerability allows an anonymous attacker to write files to arbitrary locations on a Windows user's system. The FTP client does not properly sanitise filenames containing directory traversal sequences (forward-slash) that are received from an FTP server in response to the LIST command. An example of such a response from a malicious FTP server is shown below. Response to LIST (forward-slash): -rw-r--r-- 1 ftp ftp 20 Mar 01 05:37 /../../../../../../../../../testfile.txt\r\n By tricking a user to download a directory from a malicious FTP server that contains files with fowward-slash directory traversal sequences in their filenames, it is possible for the attacker to write files to arbitrary locations on a user's system with privileges of that user. An attacker can potentially leverage this issue to write files into a user's Windows Startup folder and execute arbitrary code when the user logs on.
POC / Test Code
Please download the POC here and follow the instructions below. V7 High Quality | Cummins Incal Tool: Users often utilize it to remove passwords from INCAL disks or change the start date of calibration sets so they never expire, ensuring continuous access to necessary files. Technical Specifications Cummins Incal Tool V7 Overview | PDF | Motor Vehicle - Scribd cummins incal tool v7
Avoid downloading files/directories from untrusted FTP servers.
Disclosure Timeline
2008-06-15 - Vulnerability Discovered. |
| Contact |
| For further enquries, comments, suggestions or bug reports, simply email them to |