Description: This vulnerability allows hijacking the CompleteFTP administrator account which then leads to code execution with "SYSTEM" privileges. CompleteFTP Server versions prior to 12.1.3 are vulnerable to this attack.
Versions Affected: < 12.1.3
Researcher: Robert Fisher (https://twitter.com/be0vlk @be0vlk)
Disclosure Link: https://rhinosecuritylabs.com/application-security/completeftp-server-local-privesc-cve-2019-16116/
NIST CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2019-16116
Vendor Disclosure: https://enterprisedt.com/products/completeftp/doc/guide/html/history.html
The attacker needs read access to the server install directory, which is default. The exploit obtains the administrator encrypted passphrase from the log file and uses it to login to the management interface as the administrator. To escalate the attack, you will need to navigate to the "Process Triggers" section of the interface where you will be able to input your arbitrary code to be executed as "SYSTEM".
Run the exploit from a standard user account on Windows where CompleteFTP Server is installed.