CVE-2023-36049: Microsoft .NET CRLF Injection Arbitrary File Write/Deletion Vulnerability
March 06, 2024 | Trend Micro Research TeamIn this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Justin Hung and Yazhi Wang of the Trend Micro Research Team detail a recently patched privilege escalation vulnerability in .NET Framework and Visual Studio. This bug was originally discovered by Piotr Bazydło of Trend Micro’s Zero Day Initiative (ZDI). Successful exploitation of this vulnerability would allow a remote attacker to write or delete files in the context of the FTP server. The following is a portion of their write-up covering CVE-2023-36049, with a few minimal modifications.
A remote command execution vulnerability has been reported in the Microsoft .NET Framework and Visual Studio. This vulnerability is due to improper validation of user input. An attacker could exploit this vulnerability by sending malicious requests to the FTP servers. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.
The Vulnerability
The .NET Framework is a software framework for Microsoft Windows that provides development and execution tools for software applications. Applications written for the .NET Framework are executed in the Common Language Runtime (CLR) environment. The CLR takes .NET applications as Common Intermediate Language (CIL) object code and uses a just-in-time (JIT) compiler to compile the CIL object code to native code for the target platform.
FTP is the File Transfer Protocol described in RFC 959 and other RFCs. FTP uses two separate TCP connections - one for control and another for data transfer. A connection to the listening port from the FTP client forms the control stream on which FTP service commands are passed from the FTP client to the FTP server and on occasion from the FTP server to the FTP client. FTP service commands are used for authentication, file transfer, file system functions, etc. FTP commands have the following syntax:
<command> <SP> [parameters] <CRLF>
where
RETR remote-filename
A separate TCP connection is used for the transfer of data when a command, such as STOR, RETR, LIST, and so on, is received. Information, such as command results, the content of the transferred file, and so on are exchanged via this data stream connection. This data stream connection can be initiated by the client or the server. The client can issue the PASV command to request the FTP server to open an ephemeral port to wait for connections from the client. If the client wishes to wait for connections from the server instead, a PORT command is issued.
A command injection vulnerability exists in Microsoft .NET Framework. The vulnerability is due to insufficient validation of FTP command parameters and FTP URI requests. More specifically, the .NET Framework implements a class FtpControlStream to handle basic FTP control connections. In the implementation, it calls an internal function FormatFtpCommand() to form a valid FTP command with command and parameters as arguments. However, when the vulnerable function handles the FTP parameters, it fails to validate if the parameters include CRLF characters. It will form the following FTP commands when the command is "RETR" and the parameter is "onefile<CRLF>DELE otherfile\<CRLF>":
Similarly, another internal function FtpWebRequest() fails to validate if the URI argument contains or not. A malicious FTP URI could make the vulnerable function send malicious FTP command after the FTP connection established.
The attack vector depends on how the vulnerable .NET functions are used in the FTP applications. An attacker could exploit this vulnerability by sending malicious requests to the FTP server. Successful exploitation could allow the attacker to write or delete files in the context of the FTP server.
Source Code Walkthrough
The following code snippet was taken from .NET commit 0ed0438152b25a8a19bcc87eb335fa8a089ac8db. Comments added by Trend Micro have been highlighted.
In src/libraries/System.Net.Requests/src/System/Net/FtpControlStream.cs:
In src/libraries/System.Net.Requests/src/System/Net/FtpWebRequest.cs:
Detection Guidance
To detect an attack exploiting this vulnerability, the detection device must monitor and parse all FTP traffic, which is on TCP port 21 by default.
The detection device must inspect if there are multiple FTP commands (multiple CRLF) sent in one packet. If found, the traffic should be considered suspicious, and an attack exploiting this vulnerability is likely underway.
Note that since most FTP servers accept multiple FTP commands in one packet, there might be false positives using this detection guidance in normal FTP traffic.
Conclusion
Microsoft addressed this vulnerability by releasing a patch in November, however, it has been revised multiple times. The most notable revision adds PowerShell versions 7.2, 7.3, and 7.4 as affected platforms. If you are unable to apply the patch, you can prevent exploitation by refusing to accept FTP URIs from untrusted peers or otherwise filtering FTP traffic. Still, it is recommended to apply the vendor fix to fully resolve this vulnerability.
Special thanks to Justin Hung and Yazhi Wang of the Trend Micro Research Team for providing such a thorough analysis of this vulnerability. For an overview of Trend Micro Research services please visit http://go.trendmicro.com/tis/.
The threat research team will be back with other great vulnerability analysis reports in the future. Until then, follow the team on Twitter, Mastodon, LinkedIn, or Instagram for the latest in exploit techniques and security patches.