SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (File Transfer/Sharing)  >   WWW File Share Vendors:   LionMax Software
WWW File Share Pro Lets Remote Authenticated Users Overwrite Files on the System
SecurityTracker Alert ID:  1008779
SecurityTracker URL:  http://securitytracker.com/id/1008779
CVE Reference:   CAN-2004-0059, CAN-2004-0060, CAN-2004-0061   (Links to External Site)
Updated:  Jan 21 2004
Original Entry Date:  Jan 20 2004
Impact:   Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.42
Description:   Several vulnerabilities were reported in WWW File Share Pro. A remote authenticated user can overwrite files on the target system. A remote user can access some protected directories on the target system. A remote user can cause the system to crash.

Luigi Auriemma reported that a remote authenticated user can invoke the file upload feature with the '../' directory traversal characters in the filename to overwrite arbitrary files on the system [CVE: CAN-2004-0059]. A demonstration exploit parameter is provided:

Content-Disposition: form-data; name="file"; filename="../../../file.txt"

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/wfshare-up.txt

It is also reported that a remote user can send a POST request with a large amount of data to cause CPU utilization to reach 100% or potentially cause the target system to crash [CVE: CAN-2004-0060]. Some demonstration exploit scripts are available at:

http://aluigi.altervista.org/poc/webpostmem.zip
http://aluigi.altervista.org/mytoolz/poststrike.zip

It is also reported that a remote user can gain access to certain protected directories by requesting a URL for that directory with a period character ('.') at the end of the URL or with one or more slash or backslash characters at the beginning of the URL [CVE: CAN-2004-0061]. Some demonstration exploit URLs/requests are provided:

http://[target]/directory./
http://[target]/\directory/
http://[target]///directory/
GET \directory/ HTTP/1.0

Impact:   A remote authenticated user can overwrite arbitrary, specified files on the target system with the privileges of WWW File Share Pro.

A remote user can access some protected directories on the target system.

A remote user can cause the system to crash.

Solution:   The vendor has issued a fixed version (2.48), available at:

http://www.wfshome.com/download.htm

Vendor URL:  www.wfshome.com/ (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Wed, 14 Jan 2004 20:11:42 +0000
Subject:  Multiple vulnerabilities in WWW Fileshare Pro <= 2.42



#######################################################################

                             Luigi Auriemma

Application:  WWW File Share Pro
              http://www.wfshome.com
Versions:     <= 2.42
Platforms:    Windows
Bugs:         - arbitrary server's files overwriting
              - remote crash
              - directory authorization bypass
Risk:         critical
Exploitation: remote
Date:         14 Jan 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


>From the vendor's website:

"WWW File Share Pro is a small HTTP server that can help you share
files with your friends. They can download files from your computer or
upload files from theirs. Simply specify a directory for downloads and
a directory for uploads. ...
WWW File Share Pro supports password protection. If you enable password
protection, only authorized user can access your service."


#######################################################################

=======
2) Bugs
=======


A] Arbitrary server's files overwriting
---------------------------------------

The program has an option enabled by default that lets people to upload
their files in a dedicated directory specified by the server's
administrator.
Exists a flaw letting any user to create or overwrite any file in the
remote server simply using a dot-dot pattern in the name of the file
passed to the server.
The following is the right parameter sent to the server:
   Content-Disposition: form-data; name="file"; filename="file.txt"

And this is the modified parameter to exploit the vulnerability:
   Content-Disposition: form-data; name="file"; filename="../../../file.txt"


B] Remote crash
---------------

An attacker can crash the remote server sending a lot of bytes using
the POST command.
The effects are the CPU at 100% if data is not too much (minor than 2
megabytes) and the server's crash or also the complete system freeze if
data is more.


C] Directory authorization bypass
---------------------------------

If the server has some protected directories the attacker can bypass
the authorization process and gaining full access to them.
This bug affects only each protected directory and NOT the "whole site"
protection (option in User/Password setting).
To exploit the bug must be used a dot at the end of the URL or one or
more slash or backslash at the beginning of the URI.


#######################################################################

===========
3) The Code
===========


A] Arbitrary server's files overwriting
---------------------------------------

The following is an example data to send with telnet or netcat to the
server that will create a file called badfile.txt three directories up
the upload folder (so usually the file will be c:\badfile.txt):

   http://aluigi.altervista.org/poc/wfshare-up.txt


B] Remote crash
---------------

The following are some examples using 2 of my generic toolz:

   http://aluigi.altervista.org/poc/webpostmem.zip
   http://aluigi.altervista.org/mytoolz/poststrike.zip

To test the CPU at 100% use "webpostmem 2000 1 server"
To test the crashing of the server use webpostmem with a higher first
value or use "poststrike server"
To try to freeze the system you can launch "webpostmem 1000 10 server"
and trying other methods


C] Directory authorization bypass
---------------------------------

   http://server/directory./
   http://server/\directory/
   http://server///directory/
   "GET \directory/ HTTP/1.0"


#######################################################################

======
4) Fix
======


Version 2.48 or the upgrade patch if the version 2.46 is already
installed in the system.
Note: the version 2.46 patches all the bugs except a type of directory
authorization bypass fixed in the 2.48 version.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC