####################################################################### Luigi Auriemma Application: WWW File Share Pro http://www.wfshome.com Versions: <= 2.42 Platforms: Windows Bugs: - arbitrary server's files overwriting - remote crash - directory authorization bypass Exploitation: remote Date: 14 Jan 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the vendor's website: "WWW File Share Pro is a small HTTP server that can help you share files with your friends. They can download files from your computer or upload files from theirs. Simply specify a directory for downloads and a directory for uploads. ... WWW File Share Pro supports password protection. If you enable password protection, only authorized user can access your service." ####################################################################### ======= 2) Bugs ======= A] Arbitrary server's files overwriting --------------------------------------- The program has an option enabled by default that lets people to upload their files in a dedicated directory specified by the server's administrator. Exists a flaw letting any user to create or overwrite any file in the remote server simply using a dot-dot pattern in the name of the file passed to the server. The following is the right parameter sent to the server: Content-Disposition: form-data; name="file"; filename="file.txt" And this is the modified parameter to exploit the vulnerability: Content-Disposition: form-data; name="file"; filename="../../../file.txt" B] Remote crash --------------- An attacker can crash the remote server sending a lot of bytes using the POST command. The effects are the CPU at 100% if data is not too much (minor than 2 megabytes) and the server's crash or also the complete system freeze if data is more. C] Directory authorization bypass --------------------------------- If the server has some protected directories the attacker can bypass the authorization process and gaining full access to them. This bug affects only each protected directory and NOT the "whole site" protection (option in User/Password setting). To exploit the bug must be used a dot at the end of the URL or one or more slash or backslash at the beginning of the URI. ####################################################################### =========== 3) The Code =========== A] Arbitrary server's files overwriting --------------------------------------- The following is an example data to send with telnet or netcat to the server that will create a file called badfile.txt three directories up the upload folder (so usually the file will be c:\badfile.txt): http://aluigi.org/poc/wfshare-up.txt B] Remote crash --------------- The following are some examples using 2 of my generic toolz: http://aluigi.org/poc/webpostmem.zip http://aluigi.org/mytoolz/poststrike.zip To test the CPU at 100% use "webpostmem 2000 1 server" To test the crashing of the server use webpostmem with a higher first value or use "poststrike server" To try to freeze the system you can launch "webpostmem 1000 10 server" and trying other methods C] Directory authorization bypass --------------------------------- http://server/directory./ http://server/\directory/ http://server///directory/ "GET \directory/ HTTP/1.0" ####################################################################### ====== 4) Fix ====== Version 2.48 or the upgrade patch if the version 2.46 is already installed in the system. Note: the version 2.46 patches all the bugs except a type of directory authorization bypass fixed in the 2.48 version. #######################################################################