COMMAND

    FaSTream FTP++

SYSTEMS AFFECTED

    FaSTream FTP++ (+ ICS Tftpserver)

PROBLEM

    Following is based on a SNS Research advisory.  FaSTream FTP++  is
    a filesharing application for  the different MS Windows  flavours.
    FaSTream's   embedded    ftp-server    can   be    flooded    into
    unresponsiveness by  sending a  request of  2048 bytes  or greater
    size to it.

    For example:

        C:\>ftp victimserver
        Connected to victimserver
        220 Fastream FTP++ 2 Server Ready
        User (victimserver:(none)): aaaaaaaaaaaaaaaaaa(2048 bytes)

    After this  the server  will keep  accepting connections  but will
    respond to no commands offered.

    When the root-directory for the  ftp-server is set, any user  with
    access to the ftp-server can not  only list the path to this  dir,
    but can break out of it and produce listings of other  directories
    and drives on the same machine.

        ftp> pwd
        257 "/C:/FTPROOT/" is current directory.
        ftp> ls c:/
        200 Port command successful.
        150 Opening data connection for directory list.
        
        (listing of c:\)
        
        226 File sent ok
        ftp: xx bytes received in x.xx seconds xxKbytes/sec.

    Same goes for ls d:/ for example.  Note: FTP++ server is an  entry
    level read-only server with  no user permissions (anonymous  ftp).
    Users don't have  any form of  read/write access to  files outside
    the server-directory.

    Altough  the  server  part  of  FaSTream FTP++ features a password
    protection  option  in  its  settings panel, the username/password
    combinations,    as    are    stored    in    the    (unencrypted)
    servername.fpl-file,  have  no  relevance  to  the  login-process.
    We've been told that the commands "USER" and "PASS" are there just
    to maintain compatibility with other  ftp clients.  FTP++ is  not,
    nor  is  it  intended  to  be  an  industry-strenght  ftp  server.
    Obviously.

SOLUTION

    Be  advised  that  above  mentioned  DoS  can  be  traced  back to
    TFtpServer.  This is a (beta-)component of the "Internet Component
    Suite"     for     Delphi/C++      Builder,     availble      from
    http://www.overbyte.be.  Other products using this component could
    be vulnerable, its creator has been notified.

    Vendor has been notified and  has uploaded FaSTream FTP++ Beta  10
    Build 3  to its  site, which  fixes the  path disclosure  problem.
    There is at this time no known  fix for the DoS.  This was  tested
    against FaSTream FTP++ 2 Beta 10 Build 2.