From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 27 Apr 2005 17:43:19 +0200
Subject: [NT] Fastream NETFile FTP/Web Server Directory Traversal
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050427145014.D8D43574F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Fastream NETFile FTP/Web Server Directory Traversal
------------------------------------------------------------------------
SUMMARY
<http://www.fastream.com/netfileserver.htm>; Fastream NETFile FTP/Web
Server is "a secure FTP server and Web server combined together in one
program. It claims to be the 'easiest to setup and administer server' on
the Internet".
A directory traversal vulnerability was found in NETFile FTP's web
interface. This vulnerability may be exploited by a user with file
upload/delete privileges to upload/delete files outside the FTP root, or
by a user with directory create/remove privileges to create/remove
directories outside the FTP root.
DETAILS
Vulnerable Systems:
* Fastream NETFile FTP/Web Server version 7.4.6
Immune Systems:
* Fastream NETFile FTP/Web Server version 7.5.0 Beta 7
The problem lies in the insufficient filtering of the filename input
parameter before it is used. When the request is received, the value of
the filename parameter is first concatenated to the name of the FTP root
directory.
Suppose the FTP root is C:\NFRoot, the concatenated filename will be
C:\NFRoot\.../..//a/.../yyy.txt. This concatenated filename is then passed
to the GetFullPathName() Windows API function and the resulting output is
C:\NFRoot\a\..\yyy.txt. This output satisfies a directory validation check
since it lies within the FTP root.
As a comparison, if the value of filename is ../..//a/.../yyy.txt (using
two preceding dots instead of three), the resulting output from
GetFullPathName() will be C:\a\..\yyy.txt. This will fail the directory
validation check.
If the output from GetFullPathName() satisfies the directory validation
check, the AbsolutePath function will be called. This function simplifies
the original supplied filename by removing directory traversal sequences.
For example, the filename /dir1/dir2/../file.txt will be simplified to
/dir1/file.txt. i.e. A loop will remove sequences of the type
"/dirname/..".
To exploit this vulnerability, the value of filename must satisfy the
directory validation check, and must contain directory traversal sequences
that can survive the pathname simplification process. The filenames used
in the examples above have been crafted to meet both criteria. The
simplification process is illustrated below.
All forward slashes will be converted to backward slashes by a call to
UnixPathToDosPath before AbsolutePath is called.
..\..\\a\...\yyy.txt // initial
\a\...\yyy.txt // after first pass
.\yyy.txt // after second pass
The loop will terminate when the sequence "\.." does not appear in the
string. Hence, "..\yyy.txt" results.
Workaround:
Disable the web interface or allow only trusted users to upload/delete
files and create/remove directories.
Disclosure Timeline:
17 Apr 05 - Vulnerability Discovered
21 Apr 05 - Initial Vendor Notification
21 Apr 05 - Initial Vendor Reply
21 Apr 05 - Vendor Provided 7.5.0 Beta 6 for Testing
21 Apr 05 - Informed Vendor that File-Upload Directory Traversal is not
Fixed
22 Apr 05 - Vendor Provided 7.5.0 Beta 7 for Testing
25 Apr 05 - Public Release
ADDITIONAL INFORMATION
The information has been provided by <mailto:chewkeong@security.org.sg.>
Chew Keong TAN.
The original article can be found at:
<http://www.security.org.sg/vuln/netfileftp746.html>;
http://www.security.org.sg/vuln/netfileftp746.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
