[NT] Fastream NETFile FTP/Web Server Input validation Errors
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 4 Jul 2004 18:45:52 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Fastream NETFile FTP/Web Server Input validation Errors
Fastream NETFile Server is "a secure FTP server and Web server combined
together in one application. Our claim is that it is the easiest to setup
and use server on the Internet". Two security vulnerabilities in the
Fastream NETFile allow a remote attacker to either write to files that
reside outside the bounding HTTP root directory or to cause a denial of
* Fastream NETFile FTP/Web Server version 220.127.116.115 and prior
* Fastream NETFile FTP/Web Server version 18.104.22.1686
There are some input validation errors in Fastream NETFile that allow
users to bypass the root directory restrictions. It is easy to exploit
this vulnerability and compromise the system because Fastream NETFile
allows remote users to upload/create/delete files in the application
directory. Another vulnerability exists in the way that NETFile handles
some URLs. After requesting a special crafted directory it's possible to
cause a 1 minute Denial of Service.
The problem is in the way that NETFile handles two Slashes.
Volume in drive C is W2000P
Volume Serial Number is xxxx-xxxx
Directory of C:\
07/03/2004 07:47p <DIR>
0 File(s) 0 bytes
1 Dir(s) 119,015,936 bytes free
NETFile allows some other methods in the "command" parameter that could be
used to create/delete folders/files outside the root directory.
To exploit the upload files vulnerability we need to take a look to the
data sent in the POST request:
Content-Disposition: form-data; name="upfile"; filename="D:\foo.txt"
THIS IS AN EXAMPLE
Its possible for an attacker to modify the filename parameter to something
like: Filename="//..//autorun.inf" and place malicious files in the
system, or overwrite existing files.
Seems that the FTP Server is not vulnerable to this issue and transversal
directory attacks are not possible, but there is another bug that allows
malicious users to cause a denial of service by executing the following
Connected to at4r.intranet.
220 Fastream NETFile FTP Server Ready
User (at4r.intranet:(none)): ftp
331 Password required for ftp.
230 User ftp logged in.
ftp> cd /////A <-- here the ftp server hangs for a lot of time
599 No such directory.
The best solution is to upgrade the software to version 6.7.3 that was
released by vendor 3 July 2004. Another way to minimize the impact of this
vulnerability is to store the root directory of Fastream NETFile server in
other partition and remove create/delete file and directory permissions
from all users, included Guest accounts.
3 July, 2004: Vendor Contacted.
3 July, 2004: Issue Fixed after 2 hours. New release 6.7.3 available
4 July, 2004: Public Disclosure
The information has been provided by <mailto:email@example.com> at4r.
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.