=- Note: Be advised that below mentioned DoS can be traced back to TFtpServer. This is a (beta-)component of the "Internet Component Suite" for Delphi/C++ Builder, availble from http://www.overbyte.be. Other products using this component could be vulnerable, its creator has been notified. -- SNS Research =- Strumpf Noir Society Advisories ! Public release ! <--# -= Multiple Vulnerabilities In FaSTream FTP++ =- Release date: Friday, January 19, 2001 Introduction: FaSTream FTP++ is a filesharing application for the different MS Windows flavours. FaSTream FTP++ is availble from vendor Fastream Technologies' website: http://www.fastream.com Problem(s): FaSTream FTP++ DoS condition FaSTream's embedded ftp-server can be flooded into unresponsiveness by sending a request of 2048 bytes or greater size to it. For example: C:\>ftp victimserver Connected to victimserver 220 Fastream FTP++ 2 Server Ready User (victimserver:(none)): aaaaaaaaaaaaaaaaaa(2048 bytes) After this the server will keep accepting connections but will respond to no commands offered. FaSTream FTP++ path disclosure/directory browsing When the root-directory for the ftp-server is set, any user with access to the ftp-server can not only list the path to this dir, but can break out of it and produce listings of other directories and drives on the same machine. ftp> pwd 257 "/C:/FTPROOT/" is current directory. ftp> ls c:/ 200 Port command successful. 150 Opening data connection for directory list. (listing of c:\) 226 File sent ok ftp: xx bytes received in x.xx seconds xxKbytes/sec. Same goes for ls d:/ for example. Note: FTP++ server is an entry level read-only server with no user permissions (anonymous ftp). Users don't have any form of read/write access to files outside the server-directory. FaSTream FTP++ password protection Altough the server part of FaSTream FTP++ features a password protection option in its settings panel, the username/password combinations, as are stored in the (unencrypted) servername.fpl-file, have no relevance to the login-process. We've been told that the commands "USER" and "PASS" are there just to maintain compatibility with other ftp clients. FTP++ is not, nor is it intended to be an industry-strenght ftp server.. obviously. (..) Solution: Vendor has been notified and has uploaded FaSTream FTP++ Beta 10 Build 3 to its site, which fixes the path disclosure problem. There is at this time no known fix for the DoS. This was tested against FaSTream FTP++ 2 Beta 10 Build 2. yadayadayada SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!