Security Advisory Description
We recently released Cerberus FTP Server 10.0.16, and we wanted to elaborate on two security issues we fixed in that release and the previous 10.0.15 release.
Email Header Bypass Vulnerability (fixed in 10.0.15)
The first issue was an email header bypass vulnerability. We committed the classic mistake of not properly sanitizing user input, and that omission could allow a malicious, authenticated user to craft a subject line that added additional SMTP headers to outgoing public share email messages. A practical example of how this flaw could be exploited would be to add a special “reply-to” header to the public share email.
This vulnerability resulted in our team re-evaluating and re-designing how we construct our SMTP headers to prevent this and any future header injection vulnerabilities.
Handling File Names That End in a Period (fixed in 10.0.16)
The second issue was a little more complicated. It turns out that file names that end in a period require special handling by the Windows operating system. To illustrate this, passing a file named “badfile.exe.” to a Windows API call results in unexpected behavior. Passing that file, or a path to that file, to a Windows API call will result in the operating system trying to open or create the file without the period at the end. You might tell the operating system to create a file called “badfile.exe.”, but it will actually create “badfile.exe” – the same file, but without the period at the end. Basically, Windows will ignore the period at the end of the file path when interpreting the path.
The practical implication of this behavior is that a malicious user could bypass our file extension blocking mechanism.
For example, if an administrator added “.exe” as a file extension to block from uploads, a user could upload “badfile.exe.” and it would be allowed since “.exe.” doesn’t match “.exe”. However, the Windows operating system would actually create the file without the period. Without special handling in Cerberus, the operating system ignores the trailing backslash. During our testing, we actually discovered that most applications couldn’t open or access files (including all of the popular browsers and file transfer clients we tested) that ended in a period.
We rewrote our file handling code to properly escape file paths with filenames ending in a period. This addressed the file extension blocking bypass vulnerability and had the added benefit of allowing Cerberus to easily handle and process paths with file names that end in a period.
Known Affected versions
- 10.0 releases prior to 10.0.16
- 9.0 releases prior to 9.0.17
- 8.0 and older are no longer supported or maintained and are likely susceptible to this vulnerability
Mitigation
These vulnerabilities were addressed in Cerberus FTP Server 10.0.16 and 9.0.17.
Cerberus FTP Server 11.0 is not susceptible to these vulnerabilities.
Older version of Cerberus FTP Server are no longer maintained and will not be seeing any security or bug fixes. Administrators are encouraged to upgrade to 11.0.1 or higher as soon as possible.
Credit
Special thanks to security researcher Robert Newman from Context Information Security for discovering and reporting these vulnerabilities.