CVE-2023-36049

What is CVE-2023-36049 vulnerability?

CVE-2023-36049 is a flaw in the System.Net.WebRequest and System.Net.FtpWebRequest components of the .NET framework.

Specifically, it is an FTP Command Injection vulnerability. If an application accepts a user-supplied URI and uses it to connect to an FTP server, the .NET framework failed to properly validate the input for special characters—specifically Carriage Return (CR) and Line Feed (LF).

By injecting these characters, an attacker can append entirely new FTP commands to the session, executing actions the application developer never intended, such as deleting files or uploading malware.

When was it discovered?

The vulnerability was publicly disclosed and patched by Microsoft on November 14, 2023 (Patch Tuesday). It was reported by Piotr Bazydło of Trend Micro's Zero Day Initiative (ZDI).

Affected products & versions

This vulnerability is widespread, affecting nearly all supported versions of .NET at the time of disclosure.

CVE-2023-36049 technical description

The vulnerability exists in the FormatFtpCommand method within System.Net.FtpControlStream. This method is responsible for formatting commands sent to an FTP server.

In a standard FTP transaction, commands are terminated by a CRLF sequence (\r\n). The vulnerability arises because the affected .NET component did not verify if the parameters passed to it already contained CRLF characters.

An attacker can exploit this by providing a malicious URI. For example, if an app connects to ftp://server.com/path/file, an attacker might input:

ftp://server.com/path/file%0d%0aDELE%20important.config

When the application processes this, the %0d%0a is decoded into a CRLF, effectively breaking the single command into two:

• The original (benign) command.

• A new, malicious command (DELE important.config) that the FTP server executes immediately.

Tactics, techniques & procedures (TTPs)

Attackers exploiting CVE-2023-36049 generally follow this pattern:

• Reconnaissance: Identifying web applications or services that accept user input (like a URL) and perform backend FTP operations (e.g., "Import from URL" features).

• Exploitation: Submitting a crafted URI containing URL-encoded CRLF characters (%0d%0a) followed by malicious FTP commands.

• Privilege Escalation / Impact:

• Arbitrary File Write: Injecting STOR commands to upload web shells or malicious binaries to the FTP server.

• Arbitrary File Deletion: Injecting DELE commands to remove critical configuration or log files.

• Permission Changes: Injecting CHMOD or similar commands to weaken file permissions.

Indicators of compromise

Detecting this activity requires looking at both application logs and network traffic:

• Network Signatures: Intrusion Detection Systems (IDS) can flag FTP packets containing multiple commands in a single sequence, or unexpected commands like DELE or STOR originating from an application that should only be reading files (RETR).

• Application Logs: Look for error logs in System.Net indicating "Protocol Violation" or "CRLF found in header" if the injection attempts fail or are partially caught.

• FTP Server Logs: Unusual sequences of commands coming from the IP address of your .NET application server.

Known proof-of-concepts & exploits

Technical write-ups and Proof-of-Concept (PoC) exploits were released by the Zero Day Initiative (ZDI) shortly after the patch.

These PoCs demonstrate how to use the System.Net.WebRequest class to delete files on a target FTP server without authentication (if the app connects anonymously) or using the app's stored credentials. While not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, the availability of PoCs makes it a viable target for attackers.

How to detect CVE-2023-36049 vulnerability?

• Vulnerability Scanning: Use tools like Tenable Nessus (Plugin ID 185887) or Microsoft Defender to identify .NET runtimes and Framework installations that have not received the November 2023 update.

• Code Review: Scan your own codebase for usage of WebRequest.Create or FtpWebRequest where the URI is constructed using unvalidated user input.

Impact & risk of CVE-2023-36049 vulnerability

The impact is rated High to Critical (CVSS 8.8 - 9.8).

If an attacker successfully exploits this, they can manipulate files on the backend FTP server with the same privileges as the application. This could lead to:

• Remote Code Execution (RCE): If the attacker uploads a malicious script (e.g., .aspx, .php) to a directory accessible via a web server.

• Data Loss: Deletion of critical business data.

• Service Disruption: Corrupting application configuration files.

Mitigation & remediation strategies

There is no workaround; patching is mandatory.

• Apply Security Updates: Install the Microsoft .NET Framework November 2023 Security and Quality Rollup immediately. This update modifies System.Net to properly sanitize input and reject CRLF characters in FTP parameters.

• Sanitize Input: As a defense-in-depth measure, developers should validate all user-supplied URIs to ensure they conform to expected formats and do not contain control characters like \r or \n before passing them to .NET networking classes.

• Least Privilege: Ensure that the credentials used by your application to connect to FTP servers have the minimum necessary permissions (e.g., Read-Only access if the app only needs to download files).