P1 Bug Hunting — FTP Server Broken Access Control

TL;DR- A bug hunting walkthrough on a critical-level FTP vulnerability that was alarmingly simple to find and validate.

Introduction

FTP, or file transfer protocol, is a network protocol that allows clients to transfer files via TCP/IP connections. Clients will often authenticate themselves with a username and password and will be given access to transferrable files afterward. These servers are very easy to use, and you can find a tutorial on creating your own FTP server here.

Broken access control, commonly referred to as "BAC", is a vulnerability that occurs when access controls for certain levels of users are not properly implemented. For example, if a regular client could somehow access another client’s sensitive data without authentication or if the client could vertically scale permissions and act as an administrator, If you’re not familiar with BAC, I recommend reading this article →

Reconnaissance

Recon is absolutely essential in bug hunting, and often necessary for high-quality (and therefore high-paying) bugs. Finding this bug was incredibly simple, requiring a simple subdomain enumeration with some prior knowledge of what to look for when running automated tools like WebHeckScanner.

The Step-By-Step

After running subdomain enumeration, I found many domains that I could test with a tool such as Nmap, which detects open ports on network-connected devices. Since I had quite a few domains, I created an automation script where I could scan the ports just by inputting a list of domains. I’ll be publishing the code on my Github as soon as it’s finished!

Upon scanning one of the domains (we’ll call it ‘test.website.com’) I found that two ports were open. Port 80, the common HTTP service port, and port 21, the common FTP service port. This should immediately raise a red flag, as this should not be visible from a trivial Nmap scan. Even the port just being displayed should indicate misconfigured security practices, which may lead to further bugs.

Eureka!

Some FTP servers may not require credentials to access their files. These are called anonymous FTP servers and may use either no username and password, or a username and password of anonymous:anonymous. This can present a security flaw, as sensitive files may be exposed if an attacker is able to view the files stored on the FTP server.

While this practice may be acceptable on certain public FTP servers, it could have disastrous outcomes if a company’s sensitive files were stored on a compromised server. Normally, this bug is a high-level vulnerability, or P2. However, it was elevated to a critical-level (P1) vulnerability after sensitive information like employee usernames and passwords were stored on the FTP server itself.

By utilizing two simple tools, (WebHeckScanner and Nmap,) we were able to detect and verify a critical vulnerability in a matter of minutes. Reporting this with tips from my guide on maximizing your bug bounties helps yield the highest rewards, so make sure to follow those tips and get the best bounty possible.

Thanks for reading about FTP Broken Access Control! If you’d like to read more about bug hunting and cybersecurity, check out The Gray Area. If you enjoyed this article, give a few claps so I’ll know to post similar content.

Support me as a writer by subscribing to a Medium membership using my referral link, giving you access to all of my posts, and every other writer’s →

Thanks!