Opened 4 years ago

Closed 4 years ago

#10832 closed Bug report (fixed)

Privilege escalation vulnerability in installer due to executing uninstaller using unquoted path

Reported by: Tim Kosse Owned by:
Priority: critical Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type: Windows
Operating system version:

Description

As received via mail:

It seems that the setup.exe is prone to unquoted path vulnerability.

more info on the vuln itself : https://cwe.mitre.org/data/definitions/428.html

While it send the command :

"C:\Program Files\FileZilla FTP Client\uninstall.exe _?=C:\Program Files\FileZilla FTP Client"

It fail to quote the path correctly and launch any program named Program.exe in c: with administrator rights ( or Filezilla.exe/Filezilla FTP.exe in Program Files)
I've made piece of code to help me investigate on this (get the command and the parent process) and a video as proof of concept

https://www.youtube.com/watch?v=r06VwwJ9J4M

This trick can be use by malware to gain admin privilege or persistance, on compromised windows system (for info i'm on Win7 SP1 x64 but it should work for all systems as its a common windows vulnerability)

I didn't investigate on the previous version but they are possibly vulnerable too.

A cool way to trigger the vulnerability is to wait for an update as it launch the same unquoted command (that's where it was first discovered and that's why it concern the client too not only the install.exe)

https://www.microplus.fr/secu/

Cyril Vallicari /Ug_0 Security

Change History (1)

comment:1 Changed 4 years ago by Tim Kosse

Resolution: fixed
Status: newclosed

Fixed in 3.17.0.1

Note: See TracTickets for help on using tickets.