[Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server

["Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>]

File Access Vulnerability in Easy File Sharing Web Server

Discovered by:
Timothy "Thor" Mullen


Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs

Product:        Easy File Sharing Web Server, current versions, default 
installation
Vendor:         http://www.sharing-file.com/

Vendor Notification and Disclosure:
08/22/09: EFSW support notified of issue.
08/22/09: EFSW said it is not an issue because you can turn off direct file 
access.
08/23/09: EFSW support notified that FILES.SDB file can be directly accessed.
08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you 
can.
12/15/09: Hammer of God released full details after waiting 4 months for vendor 
to fix.

About:
Easy File Sharing Web Server is an extremely popular web-based file sharing 
application that has been in use for years.  
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web 
server.  

Customers use a built-in interface to point to files they wish to publish via a 
menu-driven web application (typically full drives or directories).  Files can 
be shared anonymously, or via EFSWS's built-in user management.   EFSWS has 
built-in SSL encryption to prevent logons from being sent in the clear (as well 
as all other access).    Users log in, and are presented with a menu of files 
that have been published and that are made available for download.   

EFSWS uses the MGH Software "myDB" database plug-in to store db information 
such as file location, user information (password in the clear), files, forum 
information, etc.   A free db parser is available at:
http://www.mghsoft.com/

Please see vendor site and db engine site for more details.

Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the 
file name is known.  For example, if the file name posted is 
MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin 
downloading the file. 

In itself, this is not a big issue as one would have to guess any given 
filename.  However, EFSWS always uses the common file name "FILES.SDB" to store 
all the files being published.  This file is stored in the root program 
directory.  While the EFSWS product engine filters out many file types, it does 
NOT filter out FILES.SDB.  If you know someone is running EFSWS, one simply has 
to access the following URL to anonymously download the FILES.SDB file without 
authentication:
https://www.SiteRunningEFSWS.com/files.sdb

This will download the FILES.SDB file and will allow an attacker to see every 
published file via the free viewer record by record. (You can of course view 
the db as a text file).  Entries look like this:

"V:\rootDirForFiles\applications\Acronis Disk Director Suite 
10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"

One can now access files directly by removing the drive letter and top 
directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3

With the ease of database access to filenames, it is trivial to script up a 
client app to download all published files on the server without authentication 
over SSL.

Further, it is trivial to determine if someone is running EFSWS, even on an 
alternate port, by using the following Googledork:  inurl:vfolder.ghp.  There 
are other more accurate Googledorks, but I'll leave that up to the researcher.

This will show the (typically) unique file "vfolder.gph" results, where you can 
retrieve the full company URL from, including portnumber.  This too can be 
scripted.  

I am still trying different methods to access the USERS.SDB file, also in the 
root application directory, which contains all users (even administrative) and 
passwords (in the clear) in an effort to bypass any mandatory authentication 
applied, but have not found a way to gain access to this file externally yet.

Vulnerable Versions:
The current version is 5.0, released in August of this year.  While certain 
vulnerability testing took place in our Hammer of God labs in Bermuda, we were 
not able to check all versions of the software.  Self-assessment is trivial, so 
we will leave it up to user to perform his/her own testing. 


Summary:
Many companies use EFSWS to "securely" publish files for access to employees, 
vendors, and customers via SSL controlled by credential logon.  By default, 
files published may be accesses anonymously if the full file name is used.  
Full filename details can be anonymously downloaded by accessing the FILES.SDB 
file, thus immediately allowing anonymous access to any file an attacker wants. 
 Note that other system files (such as logs) can also be accessed.  A 
googledork allows for searching against systems running EFSWS, thus providing a 
fully scriptable attack against all servers running this product for an 
anonymous attacker to download all files from all servers over SSL. 

Work-arounds:
Ensure that all file access requires logon.  Use ISA/TMG to filter requests for 
/files.sdb.  

Get hammered at HammerofGod.com


--------------------
Timothy Thor Mullen
thor@xxxxxxxxxxxxxxx
www.hammerofgod.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/