<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Basic-Ftp - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/basic-ftp/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 09 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/basic-ftp/feed.xml" rel="self" type="application/rss+xml"/><item><title>basic-ftp FTP Command Injection via CRLF Characters</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-basic-ftp-crlf/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-basic-ftp-crlf/</guid><description>basic-ftp version 5.2.0 is vulnerable to FTP command injection via CRLF sequences in file path parameters passed to path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with `
` appended, allowing attacker-controlled path strings to split one intended FTP command into multiple commands.</description><content:encoded><![CDATA[<p>The <code>basic-ftp</code> npm package, version 5.2.0, contains a command injection vulnerability stemming from improper sanitization of file path parameters. Specifically, the <code>protectWhitespace()</code> function fails to neutralize CRLF sequences (<code>\r\n</code>), allowing attackers to inject arbitrary FTP commands. The vulnerability exists because the <code>send()</code> function in <code>FtpContext.js</code> directly writes commands to the control socket with <code>\r\n</code> appended. This allows an attacker to craft malicious path strings that, when processed by the affected methods (cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir()), result in the execution of unintended FTP commands. This vulnerability impacts applications that use <code>basic-ftp</code> to interact with FTP servers and accept user-controlled input for file paths. The vulnerability was confirmed in version 5.2.0, and as of 2026-04-04, no fix is available.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious file path containing CRLF sequences (<code>\r\n</code>) and an injected FTP command.</li>
<li>The attacker provides the malicious path as input to one of the vulnerable <code>basic-ftp</code> methods, such as <code>cd()</code>, <code>remove()</code>, <code>rename()</code>, <code>uploadFrom()</code>, <code>downloadTo()</code>, <code>list()</code>, or <code>removeDir()</code>.</li>
<li>The <code>protectWhitespace()</code> function in <code>Client.js</code> is called, but it fails to sanitize the CRLF sequences in the path.</li>
<li>The unsanitized path is passed to the <code>send()</code> function in <code>FtpContext.js</code>, which appends <code>\r\n</code> to the command string and writes it to the TCP socket.</li>
<li>The FTP server interprets the CRLF sequences as command delimiters, splitting the intended command into multiple commands.</li>
<li>The injected FTP command is executed by the server. This can include deleting files (<code>DELE</code>), creating/removing directories (<code>MKD</code>, <code>RMD</code>), or triggering downloads (<code>RETR</code>).</li>
<li>The attacker potentially hijacks the session by injecting <code>USER</code> and <code>PASS</code> commands.</li>
<li>The attacker gains unauthorized access to files, directories, or potentially executes arbitrary commands on the FTP server, leading to data exfiltration or service disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability can lead to severe consequences, including arbitrary file deletion, directory manipulation, file exfiltration, server command execution (if supported by the FTP server), session hijacking, and service disruption. The vulnerability poses a significant risk to applications that rely on <code>basic-ftp</code> and accept user-supplied file paths. If an attacker controls the FTP paths, they can inject arbitrary commands, compromising the confidentiality, integrity, and availability of the FTP server and its data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the immediate workaround by sanitizing all path inputs before passing them to <code>basic-ftp</code>, rejecting paths containing <code>\r</code> or <code>\n</code> characters. See the provided sanitization example in the mitigation section of this brief.</li>
<li>Monitor network connections for FTP traffic containing suspicious commands within file paths, using the provided Sigma rule targeting network connections with CRLF sequences.</li>
<li>Upgrade to a patched version of <code>basic-ftp</code> as soon as one becomes available that properly sanitizes or rejects CRLF sequences in file paths, addressing the root cause detailed in the overview of this brief.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>ftp</category><category>command-injection</category><category>crlf</category></item><item><title>basic-ftp Denial-of-Service Vulnerability via Unbounded Memory Consumption</title><link>https://feed.craftedsignal.io/briefs/2024-01-basic-ftp-dos/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-basic-ftp-dos/</guid><description>The basic-ftp npm package version 5.2.2 and earlier is vulnerable to a denial-of-service attack. A malicious FTP server can send an extremely large or never-ending directory listing in response to the Client.list() command, causing the client to consume excessive memory until the process becomes unstable or crashes due to unbounded memory growth in the StringWriter class.</description><content:encoded><![CDATA[<p>The <code>basic-ftp</code> npm package, specifically version 5.2.2 and earlier, is susceptible to a denial-of-service (DoS) vulnerability. This vulnerability arises when the package is used to list directories from a remote FTP server. A malicious or compromised FTP server can exploit this by sending an excessively large or unending directory listing in response to the <code>Client.list()</code> command. The <code>basic-ftp</code> client, upon receiving this malicious response, attempts to buffer the entire listing in memory using the <code>StringWriter</code> class. The <code>StringWriter</code> class lacks any size limitations, resulting in unbounded memory growth as it concatenates incoming data chunks. This sustained memory allocation eventually leads to process instability and, ultimately, a crash of the application or service utilizing the vulnerable <code>basic-ftp</code> package. The vulnerability stems from the package's default directory listing flow within <code>dist/Client.js</code>, where the full listing response is downloaded into a <code>StringWriter</code> before parsing, as well as the unlimited buffering capability of <code>dist/StringWriter.js</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An application using <code>basic-ftp</code> connects to an attacker-controlled or compromised FTP server.</li>
<li>The application initiates a directory listing request by calling the <code>client.list()</code> function.</li>
<li>The malicious FTP server responds with an extremely large or never-ending directory listing.</li>
<li>Within the <code>basic-ftp</code> library, the <code>_requestListWithCommand</code> function in <code>dist/Client.js</code> is invoked.</li>
<li>The <code>downloadTo</code> function in <code>transfer_1.js</code> starts downloading the listing response to a <code>StringWriter</code> instance.</li>
<li>The <code>StringWriter</code> class, in <code>dist/StringWriter.js</code>, receives chunks of data from the listing response.</li>
<li>The <code>_write</code> method of <code>StringWriter</code> concatenates each chunk to an in-memory <code>Buffer</code> without any size checks, leading to unbounded memory consumption via <code>this.buf = Buffer.concat([this.buf, chunk])</code>.</li>
<li>The excessive memory allocation causes the application's process to become unstable and eventually crash due to memory exhaustion.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability allows a malicious actor to perform a denial-of-service attack against applications and services that rely on the <code>basic-ftp</code> package to interact with FTP servers. The attack is triggered when the application connects to a malicious FTP server and attempts to list a directory. Successful exploitation leads to excessive memory consumption, resulting in process instability and potential termination of the application. This can disrupt services, cause data unavailability, and negatively impact overall system reliability. The impact is primarily targeted at services using the vulnerable <code>basic-ftp@5.2.2</code> against untrusted FTP endpoints.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Implement application-level checks to monitor memory usage and restart processes exceeding acceptable thresholds (reference: Impact section).</li>
<li>Deploy the Sigma rule <code>Detect basic-ftp StringWriter Memory Exhaustion</code> to identify processes using <code>basic-ftp</code> that are allocating large amounts of memory (reference: rules section).</li>
<li>Upgrade to a patched version of <code>basic-ftp</code> that includes a fix for the unbounded memory consumption issue.</li>
<li>Implement a maximum listing size within your application, aborting transfers that exceed the configured limit, as suggested in the advisory's remediation section.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>denial-of-service</category><category>ftp</category><category>memory-exhaustion</category><category>npm</category></item><item><title>basic-ftp CRLF Injection Vulnerability Allows Arbitrary FTP Command Execution</title><link>https://feed.craftedsignal.io/briefs/2024-01-02-basic-ftp-crlf-injection/</link><pubDate>Tue, 02 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-02-basic-ftp-crlf-injection/</guid><description>The basic-ftp npm package (&lt;= 5.2.1) is vulnerable to CRLF injection, enabling attackers to inject arbitrary FTP commands via crafted credentials or MKD commands, leading to file manipulation, server command execution, and potential session hijacking.</description><content:encoded><![CDATA[<p>The basic-ftp npm package, versions 5.2.1 and earlier, contains an incomplete CRLF injection protection mechanism. This vulnerability allows attackers to inject arbitrary FTP commands into the control connection by bypassing the existing <code>protectWhitespace()</code> control. There are two primary attack vectors: the first involves injecting commands via the <code>login()</code> method by manipulating user-supplied credentials, and the second exploits a TOCTOU (Time-of-Check Time-of-Use) race condition in the <code>_openDir()</code> method. The vulnerability stems from the direct concatenation of user inputs into FTP commands without proper validation for CRLF characters (\r\n). Successful exploitation can lead to unauthorized file deletion, modification, and execution of arbitrary server commands. Applications that rely on basic-ftp and accept user-provided FTP credentials or paths are at high risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a target application using basic-ftp (&lt;= 5.2.1) that accepts user-controlled FTP credentials or paths.</li>
<li>Attacker crafts a malicious username or password containing CRLF sequences followed by FTP commands, such as <code>anonymous\r\nDELE important.txt</code>.</li>
<li>The target application passes the crafted credentials to the <code>login()</code> method in basic-ftp.</li>
<li>The <code>login()</code> method concatenates the malicious username and password into USER and PASS commands without validation.</li>
<li>basic-ftp sends the crafted FTP commands to the FTP server. The injected command (e.g., <code>DELE important.txt</code>) executes before the PASS command.</li>
<li>Alternatively, the attacker crafts a malicious directory path containing CRLF sequences followed by FTP commands, such as <code>test\r\nDELE important.txt/subdir</code>.</li>
<li>The target application passes the crafted path to the <code>ensureDir()</code> method, which calls <code>_openDir()</code>.</li>
<li>The <code>_openDir()</code> method sends an MKD command with the crafted path without validation. The injected command (e.g., <code>DELE important.txt</code>) executes.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this CRLF injection vulnerability can lead to several severe consequences. Attackers can delete or manipulate files on the FTP server by injecting <code>DELE</code>, <code>RNFR</code>, and <code>RNTO</code> commands. They can also create or remove directories using <code>MKD</code> and <code>RMD</code>. Furthermore, attackers can execute arbitrary server commands by injecting <code>SITE</code> commands, potentially changing file permissions (e.g., <code>SITE CHMOD</code>). In the case of credential injection, the attacker might be able to perform actions with default server permissions before proper authentication occurs. Applications that handle user-supplied FTP credentials, like web-based file managers, are prime targets.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply the recommended fix from the advisory by upgrading basic-ftp to a version greater than 5.2.1 or implementing CRLF validation as described in the advisory to prevent command injection in the <code>login()</code> and <code>_openDir()</code> methods.</li>
<li>Deploy the provided Sigma rule &quot;Detect basic-ftp CRLF Injection in FTP Commands&quot; to monitor for FTP commands containing CRLF characters in network traffic.</li>
<li>Enable network connection logging to capture FTP traffic for analysis and detection, as required by the Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>crlf-injection</category><category>ftp</category><category>command-injection</category><category>nodejs</category></item></channel></rss>