Wing FTP Server Privilege Escalation Vulnerability Allowing Arbitrary Command Execution

A vulnerability in Wing FTP Server in versions prior to 7.4.4 allows the administrative web interface to run with elevated privileges, either as root on Linux or SYSTEM on Windows. The web application provides legitimate means to execute arbitrary system commands, such as through the web console or task scheduler, with these commands being executed in the highest privilege context. This behavior can be considered a privilege escalation, as administrative web users may not have corresponding system administrative rights.

Impact

Exploitation of this vulnerability leads to unauthorized execution of system commands with elevated privileges, potentially allowing for full system compromise.

Reproduction

The vulnerability can be reproduced by logging into the administrative web interface with a username that includes a NULL byte, followed by any additional string. This NULL byte injection bypasses normal authentication checks, allowing access as an authenticated user. Once authenticated, the injected username, which includes the NULL byte and any appended Lua code, is executed when the session is loaded, resulting in remote code execution with root or SYSTEM privileges, depending on the operating system.

Remediation

Users are advised to update to Wing FTP Server version 7.4.4, where this vulnerability has been addressed.