lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: at4r at (aT4r ins4n3)
Subject: [ADVISORY] Fastream NETFile FTP/Web Server

Fastream NETFile FTP/Web Server Input validation Errors

Release Date: 4 July 2004

Severity: High

Systems Affected: Fastream NETFile FTP/Web Server <=v.

Systems Not Affected: Fastream NETFile FTP/Web Server v6.7.3

Vendor URL:

Original Advisory:

Author: Andres Tarasco Acu?a
email: 	at4r @

1. Description

Vendor's Description:

"Fastream NETFile Server is a secure FTP server and Web server combined
in one application. Our claim is that it is the easiest to setup and use
on the Internet!"
"Fastream NETFile FTP Server is a multi-threaded FTP server with virtual
quotas, U/D ratio and extremely fast directory and file caches. Besides
being a
fast FTP server with full user and group based permissions and file and
 cache, NETFile Server is also a Web server that is developed for sharing

Fastream NETFile Web Server is a web server with full HTTP 1.1
compatibility with
 support for multi-part downloads and keep-alive connections."

2. Vulnerability

There are some input validation errors in Fastream Netfile that allow
users to
bypass the root directory restrictions.
Due to the fact that Fastream Netfile allow remote users to
 files in the application directory, its easy to exploit this
vulnerability and
compromise the system.
Another vulnerability was reported, in the  way that Netfile handles some
After requestin a special crafted directory it's possible to cause a 1 minute
Denial of Service.

3. Exploit code

The problem is in the way that Netfile handles two Slashes.
example URL:


C:\>dir FOLDE*
 Volume in drive C is W2000P
 Volume Serial Number is xxxx-xxxx

 Directory of C:\

07/03/2004  07:47p      <DIR>          FOLDER_IS_OUTSIDE_THE_ROOT_DIRECTORY
               0 File(s)              0 bytes
               1 Dir(s)     119,015,936 bytes free

Netfile allows some other methods in the "command" parameter, that could
be used to
create/delete folders/files outside the Root directory.

To exploit the upload files vulnerability we need to take a look to the
data sent
in the POST request:

Content-Disposition: form-data; name="upfile"; filename="D:\foo.txt"
Content-Type: text/plain



Its possible for an attacker to modify the filename parameter to something
Filename="//..//autorun.inf" and place malicious files in the system, or
existing files.

Seems that the FTP Server is not vulnerable to this issue and transversal
attacks are not possible, but there is another bug that allows malicious
users to cause
a denial of service by executing the following command:

D:\>ftp localhost
Connected to at4r.intranet.
220 Fastream NETFile FTP Server Ready
User (at4r.intranet:(none)): ftp
331 Password required for ftp.
230 User ftp logged in.
ftp> cd /////A <-- here the ftp server hangs for a lot of time
599 No such directory.

4. Solution:

The best solution is to upgrade the software to version 6.7.3 that was
released by
vendor 3 july 2004.
Another way to minimize the impact of this vulnerability is to store the root
directory of Fastream netfile server in other partition and remove
create/delete file
and directory permissions from all users, included Guest accounts.

5. Timeline

-3 July, 2004: Vendor Contacted.
-3 July, 2004: Issue Fixed after 2 hours. New release 6.7.3 available
-4 July, 2004: Public Disclosure

Powered by blists - more mailing lists