CVE-2023–38960: Insecure Permission vulnerability in RaidenFTPD v2.4 build 4005 (2016/04/01)

@ro0taddict

4 min readFeb 10, 2024

Vendor Affected:

RaidenFTPD / Raiden Professional Server / Team John Long Software

RaidenFTPD v2.4 build 4005;

Affected Component:

C:\RaidenServer\ folder and the executable files inside it

Attack Vector:

A regular user with a local access on the Windows hosts that RaidenFTPD v2.4 is running may perform a privilege escalation attack by dll hijacking or or simply replacing the binary that is associated to a Windows Service(RaidenFTPDService, or any Windows service that is associated to this FTP server). Escalating privilege is dependent if the original FTP Admin or the owner of the Windows hosts enabled the Windows Service (e.g. RaidenFTPDService) when the FTP was first setup.

Description:

Improper permission in C:\RaidenServer\ folder and the executable files inside in RaidenFTPD v2.4 build 4005 that may lead to complete compromise of the data hosted in the FTP server and the main Windows host. This attack is possible when a limited-privilege malicious user with a local access on the Windows host performs code execution and privilege escalation by performing dll hijacking, or simply replacing the binary that is associated to a Windows Service(RaidenFTPDService, etc.)

Steps to replicate:

In the image below, notice that it will create its own folder outside “Program Files” or “Program Files (x86”.

Select “Start”

Confirm that the Windows Service has been created.

Check the running “RaidenFTPDService”.

Check the permission of the “rfsvc.exe” binary.

Based on the image above, users under “Authenticated Users” group are allowed to modify the executable file.

Create your desired payload.

Set up the listener.

One complexity on this vulnerability during testing was the service itself is running with a high privilege. The windows service is also using the binary so when trying to overwrite it, an attacker cant overwrite it directly.