lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040114201142.7eb69f8a.aluigi@altervista.org>
Date: Wed, 14 Jan 2004 20:11:42 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Multiple vulnerabilities in WWW Fileshare Pro <= 2.42



#######################################################################

                             Luigi Auriemma

Application:  WWW File Share Pro
              http://www.wfshome.com
Versions:     <= 2.42
Platforms:    Windows
Bugs:         - arbitrary server's files overwriting
              - remote crash
              - directory authorization bypass
Risk:         critical
Exploitation: remote
Date:         14 Jan 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From the vendor's website:

"WWW File Share Pro is a small HTTP server that can help you share
files with your friends. They can download files from your computer or
upload files from theirs. Simply specify a directory for downloads and
a directory for uploads. ...
WWW File Share Pro supports password protection. If you enable password
protection, only authorized user can access your service."


#######################################################################

=======
2) Bugs
=======


A] Arbitrary server's files overwriting
---------------------------------------

The program has an option enabled by default that lets people to upload
their files in a dedicated directory specified by the server's
administrator.
Exists a flaw letting any user to create or overwrite any file in the
remote server simply using a dot-dot pattern in the name of the file
passed to the server.
The following is the right parameter sent to the server:
   Content-Disposition: form-data; name="file"; filename="file.txt"

And this is the modified parameter to exploit the vulnerability:
   Content-Disposition: form-data; name="file"; filename="../../../file.txt"


B] Remote crash
---------------

An attacker can crash the remote server sending a lot of bytes using
the POST command.
The effects are the CPU at 100% if data is not too much (minor than 2
megabytes) and the server's crash or also the complete system freeze if
data is more.


C] Directory authorization bypass
---------------------------------

If the server has some protected directories the attacker can bypass
the authorization process and gaining full access to them.
This bug affects only each protected directory and NOT the "whole site"
protection (option in User/Password setting).
To exploit the bug must be used a dot at the end of the URL or one or
more slash or backslash at the beginning of the URI.


#######################################################################

===========
3) The Code
===========


A] Arbitrary server's files overwriting
---------------------------------------

The following is an example data to send with telnet or netcat to the
server that will create a file called badfile.txt three directories up
the upload folder (so usually the file will be c:\badfile.txt):

   http://aluigi.altervista.org/poc/wfshare-up.txt


B] Remote crash
---------------

The following are some examples using 2 of my generic toolz:

   http://aluigi.altervista.org/poc/webpostmem.zip
   http://aluigi.altervista.org/mytoolz/poststrike.zip

To test the CPU at 100% use "webpostmem 2000 1 server"
To test the crashing of the server use webpostmem with a higher first
value or use "poststrike server"
To try to freeze the system you can launch "webpostmem 1000 10 server"
and trying other methods


C] Directory authorization bypass
---------------------------------

   http://server/directory./
   http://server/\directory/
   http://server///directory/
   "GET \directory/ HTTP/1.0"


#######################################################################

======
4) Fix
======


Version 2.48 or the upgrade patch if the version 2.46 is already
installed in the system.
Note: the version 2.46 patches all the bugs except a type of directory
authorization bypass fixed in the 2.48 version.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ