CERTVU:251276Rejetto HTTP File Server (HFS) search feature fails to handle null bytes
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%
Overview
Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.
Description
CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287
Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:
http://<vulnerable instance>/?search==%00{.exec|calc.}
Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.
Impact
A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.
Solution
Apply an update
This issue is addressed in HFS version 2.3c and later, available here.
Vendor Information
251276
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Rejetto __ Affected
Notified: October 03, 2014 Updated: October 06, 2014
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Addendum
This issue is addressed in HFS version 2.3c and later, available here.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23251276 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Temporal | 6.2 | E:F/RL:OF/RC:C |
| Environmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
- <http://cwe.mitre.org/data/definitions/158.html>
- <http://www.rejetto.com/hfs/>
- <http://sourceforge.net/projects/hfs/>
- <http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html>
- <https://github.com/rapid7/metasploit-framework/pull/3793>
Acknowledgements
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2014-6287 |
|---|---|
| Date Public: | 2014-09-11 Date First Published: |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.973 High
EPSS
Percentile
99.9%