Multiple vulnerabilities in WWW Fileshare Pro <= 2.42
#######################################################################
Luigi Auriemma
Application: WWW File Share Pro
http://www.wfshome.com
Versions: <= 2.42
Platforms: Windows
Bugs: - arbitrary server's files overwriting
- remote crash
- directory authorization bypass
Risk: critical
Exploitation: remote
Date: 14 Jan 2004
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
>From the vendor's website:
"WWW File Share Pro is a small HTTP server that can help you share
files with your friends. They can download files from your computer or
upload files from theirs. Simply specify a directory for downloads and
a directory for uploads. ...
WWW File Share Pro supports password protection. If you enable password
protection, only authorized user can access your service."
#######################################################################
=======
2) Bugs
=======
A] Arbitrary server's files overwriting
---------------------------------------
The program has an option enabled by default that lets people to upload
their files in a dedicated directory specified by the server's
administrator.
Exists a flaw letting any user to create or overwrite any file in the
remote server simply using a dot-dot pattern in the name of the file
passed to the server.
The following is the right parameter sent to the server:
Content-Disposition: form-data; name="file"; filename="file.txt"
And this is the modified parameter to exploit the vulnerability:
Content-Disposition: form-data; name="file"; filename="../../../file.txt"
B] Remote crash
---------------
An attacker can crash the remote server sending a lot of bytes using
the POST command.
The effects are the CPU at 100% if data is not too much (minor than 2
megabytes) and the server's crash or also the complete system freeze if
data is more.
C] Directory authorization bypass
---------------------------------
If the server has some protected directories the attacker can bypass
the authorization process and gaining full access to them.
This bug affects only each protected directory and NOT the "whole site"
protection (option in User/Password setting).
To exploit the bug must be used a dot at the end of the URL or one or
more slash or backslash at the beginning of the URI.
#######################################################################
===========
3) The Code
===========
A] Arbitrary server's files overwriting
---------------------------------------
The following is an example data to send with telnet or netcat to the
server that will create a file called badfile.txt three directories up
the upload folder (so usually the file will be c:\badfile.txt):
http://aluigi.altervista.org/poc/wfshare-up.txt
B] Remote crash
---------------
The following are some examples using 2 of my generic toolz:
http://aluigi.altervista.org/poc/webpostmem.zip
http://aluigi.altervista.org/mytoolz/poststrike.zip
To test the CPU at 100% use "webpostmem 2000 1 server"
To test the crashing of the server use webpostmem with a higher first
value or use "poststrike server"
To try to freeze the system you can launch "webpostmem 1000 10 server"
and trying other methods
C] Directory authorization bypass
---------------------------------
http://server/directory./
http://server/\directory/
http://server///directory/
"GET \directory/ HTTP/1.0"
#######################################################################
======
4) Fix
======
Version 2.48 or the upgrade patch if the version 2.46 is already
installed in the system.
Note: the version 2.46 patches all the bugs except a type of directory
authorization bypass fixed in the 2.48 version.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org