Vulnerability Title: Path Traversal Read in handle_retr Function in FTPd Service of BR-6208AC_V2_1.02 busybox networking
Discovered by: tzh00203
Contact Information: [email protected]
Affected Version: BR-6208AC_V2_1.02 firmware
Component: BusyBox networking FTP daemon (FTPd)
A Path Traversal Vulnerability has been discovered in the FTP daemon service of DIMAX BR-6208AC_V2_1.02 firmware. The vulnerability exists in the handle_retr function within the FTPd implementation, which fails to properly validate and sanitize user-supplied file paths during file retrieval operations. This allows authenticated attackers to read arbitrary files from the filesystem, potentially exposing sensitive configuration files, passwords, and system information.
The vulnerability occurs in the handle_retr function responsible for handling FTP RETR (retrieve) commands. When a client requests to download a file via the RETR command, the function does not properly sanitize the provided file path, allowing directory traversal sequences (../) to bypass intended directory restrictions.
The affected FTP daemon is implemented within the BusyBox networking utilities and runs with elevated privileges (typically as root or a privileged user), enabling access to sensitive system files outside the intended FTP root directory.
Based on the provided code snippet, a critical path traversal vulnerability exists in the handle_retr function of the FTP daemon implementation. The vulnerability originates from the direct usage of user-supplied input G.ftp_arg without any sanitization or validation before passing it to the open() system call at line local_file_fd = G.ftp_arg ? open(G.ftp_arg, O_RDONLY | O_NONBLOCK) : -1;. This G.ftp_arg variable contains the filename parameter from the FTP RETR command, which is entirely controlled by the FTP client. The code fails to perform any path traversal checks, such as filtering directory traversal sequences (../ or ..\\), resolving paths to their canonical forms, or verifying that the requested file resides within the intended FTP root directory. Consequently, an authenticated attacker can exploit this flaw by submitting malicious RETR commands containing path traversal sequences (e.g., RETR ../../../etc/passwd) to read arbitrary files from the underlying filesystem. Given that the FTP daemon typically executes with elevated privileges, this vulnerability enables unauthorized access to sensitive system files, configuration files containing credentials, and other restricted data, leading to a severe confidentiality breach.
Taint_input:
The FTP server does not perform any filtering of special characters such as ../ between receiving user input parameters and reaching the sink point.
