PaQFile_Share.txt

2006-01-01T00:00:00
ID PACKETSTORM:42725
Type packetstorm
Reporter Dr. Insane
Modified 2006-01-01T00:00:00

Description

                                        
                                            `eFileGo 3.01 Multiple Vulnerabilities  
  
Severity:  
Critical  
  
Date of release:  
31/12/2005  
  
Product url:  
http://www.paqtool.com/download.html  
  
  
Description:  
A file share http server. Safely as p2p software, no client needed. You friend can download file from your computer by internet browser  
quickly. This software is an easy&fast-send-files software that runs under Windows 95/98/NT/ME/2000/XP. When you want to send a large file,  
photos, images, programs, folders and a website etc. on your computer, please try eFileGo. It can send large files that e-mail program  
can't do. This software can make receiver visited your computer directly. Your computer will become a server. You just click one button.  
It will finish. You need not to wait for an attachment being sent via an email anymore.  
  
  
Vulnerability Analysis:  
Multiple Vulnerabilities have been identified in eFileGo 3.01 that may be used by a remote attacker to succesfully compromise a remote  
system.   
  
(1) Directory Traversal attack & Directory Listing  
  
A directory traversal vulnerability is caused due to an input validation error making it possible to escape the user configured root folder and   
retrieve arbitrary files on the system via directory traversal attacks using the ".../.../" character sequence.  
  
Example:  
http://[host]:608/.../.../.../.../.../windows/  
http://[host]:608/.../.../.../.../.../.../windows/explorer.exe  
  
  
(2) Remote Command Execution  
  
Using the Directory traversal attack disussed above is is possible to execute commands remotely using cmd.exe.  
  
Example:  
http://[host]:608/.../.../.../.../.../.../.../.../windows/system32/cmd.exe?/c+dir  
This command will list all the file in the /windows/system32/ folder.Be imaginative...  
  
  
  
(3) Upload.exe Denial of Service and file upload vulnerability  
  
i) A Denial of service condition have been identified in upload.exe that will make the system consume 50-60% cpu usage. The problem  
takes place if the file upload.exe that is used by users to upload new files to the server takes an invalid upload directory as a parametre.  
example:  
http://[host]:608/dasjf9832root/cgi-bin/upload.exe?/some_random_directory...  
  
ii) A second vulnerability exists in upload.exe that may be used by remote malicious users to upload files anywhere on the hard disk.  
In order for this bug to work succesfully must be combined with the directory traversal bug above.   
Example: LEts say that i want to put the file nc.exe into /windows folder. The first thing i have to do is to use the  
http://[host]/.../.../.../.../.../windows/ and then just use the upload function to upload the file to the /windows folder.  
Finally we will get something like this:  
(http://[host]:608/dasjf9832root/cgi-bin/upload.exe?/.../.../.../.../.../.../windows/)  
Local file "C:\test\nc.exe" is uploaded to the server successfully.  
  
***Be carefull! if you try to access directly the /cgi-bin/upload.exe?/.../.../.../.../.../.../windows/ without having use the traversal bug  
first it won't work and the file nc.exe will result in the already specified folder.  
  
  
credit:  
dr_insane  
  
  
  
  
  
  
  
  
  
  
  
  
`