Blind Cross-Site scripting to RCE in Cerberus FTP version 9 and 10
Cerberus FTP Blind Cross-Site Scripting to remote code execution as SYSTEM. (Version 9 and 10)
We found a Blind XSS bug that we could use to go from unauthenticated user to NT AUTHORITY/SYSTEM
The only access we need is to the FTP port with a default configuration. The timeline shows that Cerberus FTP was very responsive and fixed the issue promptly.
This is not the most techinal bug but it serves as a reminder that even though an admin panel is inaccessible by the user it is very important to sanitize any input here as you can reach it from other vectors.
01-03-2019 - Reported bug
05-03-2019 - Bugfix confirmed and patch release scheduled to 12-03-2019
12-03-2019 - Patch released
Proof of concept
When a user connects to the cerberus FTP they can enter a username and password. If we start by entering our username as root but no password then in the admin panel of cerberus there is an entry in the connection tab.
This is the case even if the user does not exist. So just by letting the connection hang without entering the password we can force an entry here. This username field is not sanitized in the admin panel which enables us to perform blind Cross-Site scripting without any authentication.
So if we enter the standard payload <script>alert(1)</script> we will see the alert box on the admin interface.
The remote code execution
After looking at the admin panel we can see that they have a feature for configuring scheduled operations. This can be many things amongst them is launching an arbitrary .exe file with custom parameters. This .exe file is then ran with system privileges.
So we ofcourse abused this in our XSS payload to launch a reverse shell with system privileges utilizing powershell.
First we had to keep our connection open to keep an entry in the connection tab forever. This is done by entering the username and then sending NOOP commands consistently every 10 seconds to keep the connection alive.
This is seen in our exploit stager.
The script above takes 3 arguments. target_ip, target_port and then hosted_payload_link. The hosted payload is responsible for setting up the scheduled task and running it immediately. The powershell payload can easily be switched with something else.
Before running the exploit you need to specify the host and port that you will listen on with netcat.
After specifying this run the following command nc -l <port> to start listening for the reverse shell.
After we visit the admin panel we get the system shell