Multiple Vulnerabilities In FaSTream FTP++ (+ ICS Tftpserver DoS)

[SNS Research <vuln-dev () greyhack com>]

=-

Note: Be advised that below mentioned DoS can be traced back to
TFtpServer. This is a (beta-)component of the "Internet Component
Suite" for Delphi/C++ Builder, availble from http://www.overbyte.be.
Other products using this component could be vulnerable, its creator
has been notified. -- SNS Research

=-


Strumpf Noir Society Advisories
! Public release !
<--#


-= Multiple Vulnerabilities In FaSTream FTP++ =-

Release date: Friday, January 19, 2001


Introduction:

FaSTream FTP++ is a filesharing application for the different MS
Windows flavours.

FaSTream FTP++ is availble from vendor Fastream Technologies'
website: http://www.fastream.com


Problem(s):

FaSTream FTP++ DoS condition

FaSTream's embedded ftp-server can be flooded into unresponsiveness
by sending a request of 2048 bytes or greater size to it.

For example:

C:\>ftp victimserver
Connected to victimserver
220 Fastream FTP++ 2 Server Ready
User (victimserver:(none)): aaaaaaaaaaaaaaaaaa(2048 bytes)

After this the server will keep accepting connections but will respond
to no commands offered.


FaSTream FTP++ path disclosure/directory browsing

When the root-directory for the ftp-server is set, any user with
access to the ftp-server can not only list the path to this dir, but
can break out of it and produce listings of other directories and
drives on the same machine.

ftp> pwd
257 "/C:/FTPROOT/" is current directory.
ftp> ls c:/
200 Port command successful.
150 Opening data connection for directory list.

(listing of c:\)

226 File sent ok
ftp: xx bytes received in x.xx seconds xxKbytes/sec.

Same goes for ls d:/ for example.

Note:  FTP++ server is an entry level read-only server with no user
permissions (anonymous ftp). Users don't have any form of read/write
access to files outside the server-directory.


FaSTream FTP++ password protection

Altough the server part of FaSTream FTP++ features a password
protection option in its settings panel, the username/password
combinations, as are stored in the (unencrypted) servername.fpl-file,
have no relevance to the login-process. We've been told that the
commands "USER" and "PASS" are there just to maintain compatibility
with other ftp clients. FTP++ is not, nor is it intended to be an
industry-strenght ftp server.. obviously.


(..)


Solution:

Vendor has been notified and has uploaded FaSTream FTP++ Beta 10
Build 3 to its site, which fixes the path disclosure problem.
There is at this time no known fix for the DoS. This was tested
against FaSTream FTP++ 2 Beta 10 Build 2.


yadayadayada

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!