FileZilla Client — Cleartext Storage of Sensitive Information in Memory Vulnerability (CVE-2022–29620)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29620
FileZilla Client is one of the most frequently used Software for the FTP/SFTP operations, in this writeup I will make a publication of CVE-2022–29620 Vulnerability with details and reproduction of the attack sample. The latest version of FileZilla Client suffers from CWE-316: Cleartext Storage of Sensitive Information in Memory Vulnerability that can cause the compromise of user credentials due to storing the user credentials in memory without any protection.
Attackers need to compromise the victim device to exploit this Vulnerability.
Description of the Vulnerability
On the latest version of FileZilla Client, if a user connected to the FTP server with Username and Password credentials, the attacker able to obtain cleartext credentials that was being used once by the user for the FTP authentication process.
My research identifies that every authentication process has been stored inside FileZilla client memory as a cleartext format without any Encryption or protection on it. This issue ends up with credential stealing.
I need to add this as a side note, FileZilla client software is also being used for SFTP protocol which means that if an authenticated legit user connects to a remote server, the unauthenticated attacker is able dump the memory of FileZilla client and read the password and username data easily that data could be used by attacker to compromise the remote server over SSH protocol.
Example of successful authentication:
FileZilla Client connected to a remote server over FTP protocol.
Obtained cleartext credentials inside the memory of FileZilla:
(Password: admin123*)
(Username: admin)
Reproducing of Attack
1-) Dump the FileZilla Client process with task manager
2-) Extract String data inside RAW memory dump
3-) Obtain the Username and Password as cleartext format
The memory address of the stored user credentials are changing every time when a user tries to connect another remote server or exit and reopen the FileZilla Client software but still it was easy to find the user credentials amongst all these String data.
The user credentials are stored in memory every time in a very simple sequence like (IP -> Password) that means you can programmatically obtain this credentials even if you didn’t know the metadata of the password/username.
When a user tries to connect to a remote server via FTP or SFTP protocol with Username and Password the attacker is able to get cleartext user credentials that are stored unencrypted on memory of FileZilla even if the user doesn’t want to choose to save the user credentials.
Real World Attack Example
In that part I will share the possible real world attack example that can cause the compromise of remote servers and user credentials. At first in order to obtain the cleartext credentials as an attacker, the user must enter user credentials data inside FileZilla Client GUI or CLI.
You may ask this question to me; “An attacker able to get unsaved user credentials inside the FileZilla client without a vulnerability such as using a keylogger to obtain all user inputs as cleartext format so what is the benefits of this ?”
Using this vulnerability as an attacker will increase the stealthiness of the attacks rather then installing a keylogger/password stealer into a system and it have much more targeted goal such as comprises the remote servers by abusing a legitimate but unsecure Software.
Proof of Concept Steps:
When the users clicks on a BAT file these steps will occurred
1-) Dump the FileZilla Client process with help of Windows Sysinternal tool called procdump.exe and save that RAW memory dump into disk
2-) Compress the RAW memory dump with help of 7zip and save it into disk
3-) Send compressed ZIP file into attackers Mega upload account
Then the attacker downloads the RAW memory dump and saves it on own device to extract strings inside the RAW memory dump file, this file now has cleartext FTP user credentials that was being used once by user to connect remote FTP server.
The proof of concept video can be seen here :
Remediation
Do not hard code sensitive data in programs.
Disable memory dumps.
Do not store sensitive data beyond its time of use in a program.
Do not store sensitive data in plaintext (either on disk or in memory).
Securely erase sensitive data from memory.
If you must store sensitive data, encrypt it first !!
Conclusion
The exploitation of this Vulnerability is relay easy and it can be done by many different ways. I took every opportunity to contact the Software vendor and follow responsible disclosure protocols but unfortunately there is no patch available yet.
Time-lapse of Vulnerability Disclosure: