Vulnerability Note VU#906907

FireFTP filename directory traversal sequence vulnerability

Overview

The FireFTP Mozilla Firefox extension contains a vulnerability that may allow an attacker to write files to arbitrary locations.

I. Description

FireFTP is a Firefox extension that provides FTP client functionality. Firefox extensions can run with Chrome privileges which allow them to read/write local files and make network connections.

The FTP MLST command is defined in RFC 3659:MLST provides data about exactly the object named on its command line, and no others. MLSD, on the other, lists the contents of a directory if a directory is named, otherwise a 501 reply is returned.

The FTP LIST command is defined in RFC 959: This command causes a list to be sent from the server to the passive DTP. If the pathname specifies a directory or other group of files, the server should transfer a list of files in the specified directory. If the pathname specifies a file then the server should send current information on the file. A null argument implies the user's current working or default directory.

FireFTP does not properly sanitise filenames containing directory traversal sequences that are received from an FTP server in response to the MLSD and LIST commands. To exploit this vulnerability, attacker would need need to convince a user to connect to an FTP server that then send malicious commands to FireFTP.

II. Impact

A remote attacker may be able to write files to arbitrary locations on a system running Firefox with a vulnerable version of FireFTP.

III. Solution

Upgrade

Per the FireFTP Developer Information page, this issue is addressed in the 0.97.2 and .99preview releases. Users are encouraged to upgrade to a fixed version. Users who have Firefox set to Automatically check for updates and Automatically download and install the update for Add-ons should be updated to a fixed version of FireFTP automatically.

Restrict access
FTP proxy servers and IPS systems that include support for the FTP protocol may be able to block filenames that contain directory traversal sequences. Note that this workaround may not block all attack vectors.


Since Firefox extensions usually run in the context of Firefox, host-based firewalls may not be able to detect the installation or presence of Firefox Add-ons such as FireFTP.

Systems Affected

Vendor	Status	Date Updated
FireFTP	Vulnerable	21-May-2008
Mozilla	Unknown	22-May-2008

References

http://fireftp.mozdev.org/developers.html
https://addons.mozilla.org/en-US/firefox/addon/684
http://developer.mozilla.org/en/docs/Chrome
http://vuln.sg/fireftp0971-en.html
http://support.mozilla.com/en-US/kb/Options+window#Update_tab
http://tools.ietf.org/html/rfc3659
http://www.faqs.org/rfcs/rfc959.html

Credit

Information about this vulnerability was published by vuln.sg.

This document was written by Ryan Giobbi.

Other Information

Date Public	05/20/2008
Date First Published	05/21/2008 03:02:58 PM
Date Last Updated	05/23/2008
CERT Advisory
CVE Name
US-CERT Technical Alerts
Metric	1.35
Document Revision	46