Wing FTP Server Remote Code Execution Vulnerability via NULL Byte Injection

A remote code execution vulnerability has been identified in Wing FTP Server versions prior to 7.4.4. This issue arises in both user and admin web interfaces, where NULL bytes are mishandled, allowing the injection of arbitrary Lua code into user session files. The injected code can be executed with the privileges of the FTP service, which is root or SYSTEM by default, leading to a total server compromise. Notably, this vulnerability is also exploitable through anonymous FTP accounts.

Impact

Exploitation of this vulnerability allows for remote code execution on the server with root rights on Linux or SYSTEM rights on Windows.

Reproduction

The vulnerability can be reproduced by logging into the Wing FTP Server web interface anonymously. After authentication, a NULL byte can be appended to the username field, followed by any random string. This injection bypasses the authentication check and is reflected in the session management system. Once the session is established, the injected Lua code can be executed by accessing certain web interface functionalities, such as directory listing.

Remediation

Users are advised to update to Wing FTP Server version 7.4.4, where this vulnerability has been fixed.