Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Vulnerability Research Advisory

Fastream NETFile FTP/Web Server Directory Traversal Vulnerability

by Tan Chew Keong
Release Date: 25 Apr 2005

Summary

Fastream NETFile FTP/Web Server is a secure FTP server and Web server combined together in one program. It claims to be the "easiest to setup and administer server" on the Internet.

A directory traversal vulnerability was found in NETFile FTP's web interface. This vulnerability may be exploited by a user with file upload/delete privileges to upload/delete files outside the FTP root, or by a user with directory create/remove privileges to create/remove directories outside the FTP root.

 
Tested System

Fastream NETFile FTP/Web Server Version 7.4.6 on English Win2K SP4.

 
Details

A directory traversal vulnerability was found in NETFile FTP's web interface. This vulnerability may be exploited by a user with file upload/delete privileges to upload/delete files outside the FTP root, or by a user with directory create/remove privileges to create/remove directories outside the FTP root.

NETFile FTP supports file upload/download and directory creation/deletion via a Web Interface. The Web Interface has a directory traversal vulnerability that was previously reported by Andres Tarasco Acuna. It appears that this vulnerability was not sufficiently fixed and it is still exploitable by crafting the request in another way.

Shown below are sample requests to delete a file, to create a directory, and to remove a directory from outside the FTP root. To exploit this vulnerability, the user must have the appropriate FTP privileges to delete files and to create/remove directories. 

http://[hostname]/?command=delete&filename=.../..//a/.../yyy.txt
http://[hostname]/?command=mkdir&filename=.../..//a/.../testdir
http://[hostname]/?command=rmdir&filename=.../..//a/.../testdir


The problem lies in the insufficient santisation of the filename input parameter before it is used. When the request is received, the value of the filename parameter is first concatenated to the name of the FTP root directory. Suppose the FTP root is C:\NFRoot, the concatenated filename will be C:\NFRoot\.../..//a/.../yyy.txt. This concatenated filename is then passed to the GetFullPathName() Windows API function and the resulting output is C:\NFRoot\a\..\yyy.txt. This output satisfies a directory validation check since it lies within the FTP root.

As a comparison, if the value of filename is ../..//a/.../yyy.txt (using two preceeding dots instead of three), the resulting output from GetFullPathName() will be C:\a\..\yyy.txt. This will fail the directory validation check.

If the output from GetFullPathName() satisfies the directory validation check, the AbsolutisePath function will be called. This function simplifies the original supplied filename by removing directory traversal sequences. For example, the filename /dir1/dir2/../file.txt will be simplied to /dir1/file.txt. i.e. A loop will remove sequences of the type "/dirname/..".

To exploit this vulnerability, the value of filename must satisfy the directory validation check, and must contain directory traversal sequences that can survive the pathname simplification process. The filenames used in the examples above have been crafted to meet both criteria. The simplification process is illustrated below.

All forward slashes will be converted to backward slashes by a call to UnixPathToDosPath before AbsolutisePath is called.

...\..\\a\...\yyy.txt	// initial
.\a\...\yyy.txt		// after first pass
..\yyy.txt		// after second pass

The loop will terminate when the sequence "\.." does not appear in the string.  Hence, "..\yyy.txt" results.


Directory traversal vulnerability also exists when the server accepts file uploads via a POST request using the web interface. It is possible to use directory traversal characters to cause files to be saved outside the FTP root. An example is shown below.

Original Request
-----------------------------265001916915724
Content-Disposition: form-data; name="upfile"; filename="testfile.txt"
Content-Type: text/plain

test
-----------------------------265001916915724--

Manipulated Request
-----------------------------265001916915724
Content-Disposition: form-data; name="upfile"; filename="../testdir/testfile.txt"
Content-Type: text/plain

test
-----------------------------265001916915724--

 
Patch

  1. Upgrade to Version 7.5.0 Beta 7 and above which fixes this particular directory traversal vulnerability.
  2. Or, disable the web interface.
  3. Or, allow only trusted users to upload/delete files and create/remove directories.

 
Disclosure Timeline

17 Apr 05 - Vulnerability Discovered.
21 Apr 05 - Initial Vendor Notification.
21 Apr 05 - Initial Vendor Reply.
21 Apr 05 - Vendor Provided 7.5.0 Beta 6 for Testing.
21 Apr 05 - Informed Vendor that File-Upload Directory Traversal is not Fixed.
22 Apr 05 - Vendor Provided 7.5.0 Beta 7 for Testing.
25 Apr 05 - Public Release.

 
Contacts

For further questions and enquries, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 25/04/2005
webmaster@security.org.sg