Trustwave SpiderLabs Security Advisory TWSL2014-010:
Multiple Vulnerabilities in Wing FTP Server

Published: 07/02/2014 
Version: 1.0

Vendor: Wing FTP Server team (wftpserver.com)
Product: Wing FTP Server
Version affected: 4.3.7 (Windows) and prior

Product description:
Multiple platform FTP Server solution with web based administration
support.

Finding 1: Source Code Disclosure
Credit: Daniel Crowley of Trustwave SpiderLabs
CVE: CVE-2014-4679
CWE: CWE-200

The HTTP server used by Wing FTP server on Windows does not properly handle
requests for files using their 8.3 alias. The source code of any page can
be disclosed by requesting its 8.3 alias.

For example, the source of the login page (login.html) can be disclosed
using the following request:

https://wingftpserver/login~1.htm

Finding 2: WebLink Authentication Bypass
Credit: Daniel Crowley of Trustwave SpiderLabs 
CVE: CVE-2014-4680
CWE: CWE-287

The HTTP server used by Wing FTP server allows authenticated users to
create URLs that allow unauthenticated users to download files from the
server. Authentication is based on knowledge of a 128 bit hash, stored as a
file's name in the _WEBLINK directory. Normally, the complexity of guessing
the hash correctly would be 2^128/(number of active weblinks). However, 8.3
aliases allow weblinks to be accessed using only the first 6 characters of
the hash, reducing the complexity of guessing the hash to 2^24/(number of
active weblinks). An attacker can discover and download all weblinked files
with 2^24 (approximately 16.7 million) requests.

Example:
Normal weblink - http://demo.wftpserver.com/main.html?download&weblink=d3b33e257f05ad973016ac7b71dc2bf7&realfilename=You$20can$20upload$20file$20into$20$5Bupload$5D
8.3 alias weblink - http://demo.wftpserver.com/main.html?download&weblink=d3b33e~1&realfilename=You$20can$20upload$20file$20into$20$5Bupload$5D

Finding 3: Web Server Denial of Service
Credit: Daniel Crowley of Trustwave SpiderLabs
CVE: CVE-2014-4681
CWE: CWE-400

Windows-based operating systems have reserved filenames which refer to
devices, such as NUL (bit bucket, like /dev/null) or LPT1 (parallel printer
port 1). Some of these devices will not send an EOF; If an attacker can
cause an application to read from any file until EOF, it may be possible to
cause an application to hang by requesting a device file that does not send
an EOF. The Wing HTTP server does not properly filter requests for these
names, and as such it is possible to cause a denial of service against the
Wing HTTP server by requesting one of these files.

Example:
https://wingftpserver/COM1.html


Remediation Steps:
Upgrade to Wing FTP Server version 4.3.8. Please note that Trustwave
SpiderLabs have not verified this fix.

Revision History:
06/18/2014 - Vulnerability disclosed to vendor
06/26/2014 - Patch released by vendor
07/02/2014 - Advisory published

References:
1. http://www.wftpserver.com/serverhistory.htm

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.