lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 15 Dec 2009 18:33:59 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: Rohit Patnaik <quanticle@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: Re: File Access Vulnerability in Easy File
 Sharing Web Server

I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted.  I do not know of a 'nix based tool for access to the db.  If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward.  If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.

t

From: Rohit Patnaik [mailto:quanticle@...il.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@...urityfocus.com; full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server

Wow.  Very nice find.  One question: all the cited tools are Windows executables.  Has there been any attempt to run the database viewer in Linux via Wine?  I'm wondering if I'm going to have to set up a VM to try to confirm this, or if I can try to do this via Wine.

Although the n3td3v drama is entertaining, its finds like this which keep me subscribed to this list.

Thanks again,
Rohit Patnaik
On Tue, Dec 15, 2009 at 6:16 PM, Thor (Hammer of God) <thor@...merofgod.com<mailto:thor@...merofgod.com>> wrote:
File Access Vulnerability in Easy File Sharing Web Server

Discovered by:
Timothy "Thor" Mullen


Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs

Product:        Easy File Sharing Web Server, current versions, default installation
Vendor:         http://www.sharing-file.com/

Vendor Notification and Disclosure:
08/22/09: EFSW support notified of issue.
08/22/09: EFSW said it is not an issue because you can turn off direct file access.
08/23/09: EFSW support notified that FILES.SDB file can be directly accessed.
08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can.
12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix.

About:
Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server.

Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories).  Files can be shared anonymously, or via EFSWS's built-in user management.   EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access).    Users log in, and are presented with a menu of files that have been published and that are made available for download.

EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc.   A free db parser is available at:
http://www.mghsoft.com/

Please see vendor site and db engine site for more details.

Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the file name is known.  For example, if the file name posted is MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file.

In itself, this is not a big issue as one would have to guess any given filename.  However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published.  This file is stored in the root program directory.  While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB.  If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication:
https://www.SiteRunningEFSWS.com/files.sdb

This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file).  Entries look like this:

"V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"

One can now access files directly by removing the drive letter and top directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3

With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL.

Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork:  inurl:vfolder.ghp.  There are other more accurate Googledorks, but I'll leave that up to the researcher.

This will show the (typically) unique file "vfolder.gph" results, where you can retrieve the full company URL from, including portnumber.  This too can be scripted.

I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet.

Vulnerable Versions:
The current version is 5.0, released in August of this year.  While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software.  Self-assessment is trivial, so we will leave it up to user to perform his/her own testing.


Summary:
Many companies use EFSWS to "securely" publish files for access to employees, vendors, and customers via SSL controlled by credential logon.  By default, files published may be accesses anonymously if the full file name is used.  Full filename details can be anonymously downloaded by accessing the FILES.SDB file, thus immediately allowing anonymous access to any file an attacker wants.  Note that other system files (such as logs) can also be accessed.  A googledork allows for searching against systems running EFSWS, thus providing a fully scriptable attack against all servers running this product for an anonymous attacker to download all files from all servers over SSL.

Work-arounds:
Ensure that all file access requires logon.  Use ISA/TMG to filter requests for /files.sdb.

Get hammered at HammerofGod.com


--------------------
Timothy Thor Mullen
thor@...merofgod.com<mailto:thor@...merofgod.com>
www.hammerofgod.com<http://www.hammerofgod.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists