CVE-2023–38960: Insecure Permission vulnerability in RaidenFTPD v2.4 build 4005 (2016/04/01)

@ro0taddict
4 min readFeb 10, 2024

--

Vendor Affected:

RaidenFTPD / Raiden Professional Server / Team John Long Software

RaidenFTPD v2.4 build 4005;

Affected Component:

C:\RaidenServer\ folder and the executable files inside it

Attack Vector:

A regular user with a local access on the Windows hosts that RaidenFTPD v2.4 is running may perform a privilege escalation attack by dll hijacking or or simply replacing the binary that is associated to a Windows Service(RaidenFTPDService, or any Windows service that is associated to this FTP server). Escalating privilege is dependent if the original FTP Admin or the owner of the Windows hosts enabled the Windows Service (e.g. RaidenFTPDService) when the FTP was first setup.

Description:

Improper permission in C:\RaidenServer\ folder and the executable files inside in RaidenFTPD v2.4 build 4005 that may lead to complete compromise of the data hosted in the FTP server and the main Windows host. This attack is possible when a limited-privilege malicious user with a local access on the Windows host performs code execution and privilege escalation by performing dll hijacking, or simply replacing the binary that is associated to a Windows Service(RaidenFTPDService, etc.)

Steps to replicate:

Login as a high privilege user. Download the RaidenFTPD binary. Install and create a Windows Service.

In the image below, notice that it will create its own folder outside “Program Files” or “Program Files (x86”.

Select “Start”

Confirm that the Windows Service has been created.

Log in as a low privilege user.

Check the running “RaidenFTPDService”.

Check the permission of the “rfsvc.exe” binary.

Based on the image above, users under “Authenticated Users” group are allowed to modify the executable file.

Create your desired payload.

Set up the listener.

One complexity on this vulnerability during testing was the service itself is running with a high privilege. The windows service is also using the binary so when trying to overwrite it, an attacker cant overwrite it directly.

To do a proof of concept, stop the Windows service using a high privilege user (Lab user)”.

Then as a low priv user, overwrite the binary that is associated to the FTP Windows service.

Go back to the high privilege user and run the application.

Recommendation:

Use the “Program Files” or “Program Files (x86) as the default home folder of the application”.

References:

http://www.raidenmaild.com/download/raidenftpd2.exe

--

--

@ro0taddict
@ro0taddict

Written by @ro0taddict

InfoSec enthusiast; Lifelong learner

No responses yet