Titan FTP

Version: <


CWE-24: Path Traversal

The move-file function has a path traversal vulnerability in the newPath parameter newPath":"/../../../../../../../Program Files/South River Technologies/srxserver/file

So, by uploading a file and then moving it, it can be placed anywhere on the filesystem, because the process runs as NT System

This is an authenticated exploit. An attacker would need a user account on the TitanFTP server, to upload the files.

CWE-427: Uncontrolled Search Path Element

The service-application is vulnerable to a DLL search order hijack. It is importing several Windows DLL-files, like version.dll. By placing a proxy-DLL named version.dll exploiting the path traversal vulnerability, this DLL will proxy imports to the original version.dll also uploaded in the application directory, one will gain Remote Code Execution on the server as NT System.

POC Video