Wing FTP Server 7.4.3

漏洞概述 (Vulnerability Overview)

CVE-2025-47812 是一个存在于 Wing FTP Server(一款支持多协议的跨平台文件传输服务器)中的严重远程代码执行 (Remote Code Execution, RCE) 漏洞。

受影响版本: Wing FTP Server 7.4.4 之前的版本

漏洞成因: 空字节注入 (Null Byte Injection) 导致的任意 Lua 代码注入 (Lua Code Injection)。

漏洞利用原理 (Exploitation Mechanism)

Wing FTP Server 的 Web 认证接口在处理登录请求时,未能正确过滤空字节(\0 或 URL 编码下的 %00)。攻击链通常分为两个阶段:

  1. 注入载荷 (Payload Injection): 当攻击者向登录接口(如 loginok.html)发送身份验证请求时,在 username(用户名)参数中插入 %00,并在其后拼接恶意的 Lua 脚本代码。 由于 C++ 底层程序在处理字符串时,遇到空字节会认为字符串已结束,因此后端的认证逻辑可能只会校验 %00 前面的合法字符(例如开启了免密的 anonymous 匿名账户,或者某个已知的普通账号)。然而,整个包含恶意 Lua 代码的原始长字符串,却被原封不动地写入了系统的 Session (用户会话) 文件中。
  2. 触发执行 (Trigger Execution): Session 文件被污染后,攻击者只需携带对应的 Cookie 发起第二次请求,访问任意一个需要身份验证的页面(例如 dir.html)。此时,服务器会读取并反序列化 (Deserialize) 该 Session 文件,从而直接触发并执行被注入的 Lua 代码。
  3. 权限提升 (Privilege Escalation): 由于 Wing FTP 服务在默认情况下通常以极高的权限运行,这些 Lua 代码最终会以 root (Linux 环境) 或 SYSTEM (Windows 环境) 权限执行。这意味着攻击者可以无限制地执行任意系统命令。

实战演练与测试思路 (Red Team Testing Approach)

在进行授权的渗透测试时,复现和验证这个漏洞的路径非常清晰:

  • 流量拦截与篡改: 可以启动 Burp Suite (Web Application Security Testing Tool, Web 应用程序安全测试工具),将浏览器代理指向它并拦截目标站点的登录 POST 请求。在 Repeater (中继器) 模块中,将 username 修改为类似 anonymous%00os.execute('whoami') 的格式(os.execute 即 Operating System Execute,操作系统执行函数)。
  • 工具武器化: 如果需要批量验证,可以在 Kali Linux (Penetration Testing Distribution, 渗透测试发行版) 环境下,使用 Python (High-level Programming Language, 高级编程语言)requests (Python HTTP Library, Python 超文本传输协议库) 编写一个自动化脚本:先发送包含恶意 Payload 的验证请求获取 Cookie,再使用该 Cookie 访问目录接口并打印出回显结果。

防御措施

厂商已修复此问题。唯一的彻底解决方案是将 Wing FTP Server 升级到 7.4.4 或更高版本。作为纵深防御的缓解措施,在不需要的情况下,应立即在配置中禁用 FTP 的匿名登录功能。

Wing FTP Server 7.4.3

Vulnerability Overview

CVE-2025-47812 is a severe Remote Code Execution (RCE) vulnerability found in Wing FTP Server, a multi-protocol cross-platform file transfer server.

Affected Versions: Versions prior to Wing FTP Server 7.4.4

Vulnerability Cause: The vulnerability is caused by Null Byte Injection, which allows arbitrary Lua code to be injected into the system.

Exploitation Mechanism

Wing FTP Server’s web authentication interface fails to properly filter out null bytes (\0 or %00 encoded in URLs) when processing login requests. The attack chain typically consists of two steps:

  1. Payload Injection: When an attacker sends an authentication request to the login interface (e.g., loginok.html), they insert %00 into the username parameter and append malicious Lua script code. Since the C++ underlying program assumes that a string ends when it encounters a null byte, the authentication logic only verifies the characters before %00 (for example, it may grant an anonymous account or a known regular account). However, the entire original string containing the malicious Lua code is written unmodified to the system’s Session file.

  2. Trigger Execution: Once the Session file is corrupted, the attacker only needs to send a second request with the corresponding Cookie to access any page that requires authentication (e.g., dir.html). The server then reads and deserializes the Session file, directly executing the injected Lua code.

  3. Privilege Escalation: Since Wing FTP Server runs with high privileges by default, the injected Lua code is executed with the privileges of root (in Linux) or SYSTEM (in Windows). This allows the attacker to execute any system commands without restrictions.

Red Team Testing Approach

During authorized penetration testing, reproducing and verifying this vulnerability is straightforward:

  • Traffic Interception and Manipulation: Use Burp Suite to intercept and modify login POST requests to the target site. In the Repeater module, modify the username parameter to a format like anonymous%00os.execute('whoami'). os.execute refers to an operating system execution function.
  • Tool Utilization: For batch verification, in a Kali Linux penetration testing environment, you can write an automated script using Python’s requests library to send a request with a malicious payload to obtain a Cookie, and then use that Cookie to access directory interfaces and print the response.

Defense Measures

The vendor has already patched this issue. The only definitive solution is to upgrade Wing FTP Server to version 7.4.4 or later. As an additional mitigation measure, disable the anonymous login feature in the configuration if not necessary.