[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server

To: Rohit Patnaik <quanticle@xxxxxxxxx>
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Tue, 15 Dec 2009 18:33:59 -0800

I actually DID try to access the .sdb in Ubuntu but that was before I 
identified the file format of the db as myDB as noted.  I do not know of a 'nix 
based tool for access to the db.  If you just want to verify, you can open the 
.sdb with a text/hex editor and parse out a filename for yourself - it's pretty 
straight forward.  If you want to script the download of all files on a 
vulnerable server (for testing, of course) then you'll probably need to go 
ahead and set up a VM.

t

From: Rohit Patnaik [mailto:quanticle@xxxxxxxxx]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@xxxxxxxxxxxxxxxxx; full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing 
Web Server

Wow.  Very nice find.  One question: all the cited tools are Windows 
executables.  Has there been any attempt to run the database viewer in Linux 
via Wine?  I'm wondering if I'm going to have to set up a VM to try to confirm 
this, or if I can try to do this via Wine.

Although the n3td3v drama is entertaining, its finds like this which keep me 
subscribed to this list.

Thanks again,
Rohit Patnaik
On Tue, Dec 15, 2009 at 6:16 PM, Thor (Hammer of God) 
<thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>> wrote:
File Access Vulnerability in Easy File Sharing Web Server

Discovered by:
Timothy "Thor" Mullen


Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs

Product:        Easy File Sharing Web Server, current versions, default 
installation
Vendor:         http://www.sharing-file.com/

Vendor Notification and Disclosure:
08/22/09: EFSW support notified of issue.
08/22/09: EFSW said it is not an issue because you can turn off direct file 
access.
08/23/09: EFSW support notified that FILES.SDB file can be directly accessed.
08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you 
can.
12/15/09: Hammer of God released full details after waiting 4 months for vendor 
to fix.

About:
Easy File Sharing Web Server is an extremely popular web-based file sharing 
application that has been in use for years.
It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web 
server.

Customers use a built-in interface to point to files they wish to publish via a 
menu-driven web application (typically full drives or directories).  Files can 
be shared anonymously, or via EFSWS's built-in user management.   EFSWS has 
built-in SSL encryption to prevent logons from being sent in the clear (as well 
as all other access).    Users log in, and are presented with a menu of files 
that have been published and that are made available for download.

EFSWS uses the MGH Software "myDB" database plug-in to store db information 
such as file location, user information (password in the clear), files, forum 
information, etc.   A free db parser is available at:
http://www.mghsoft.com/

Please see vendor site and db engine site for more details.

Vulnerability details:
By default, EFSWS allows a user to download a file directly via a URL if the 
file name is known.  For example, if the file name posted is 
MyFileName1234.exe, then one could go directly to:
https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin 
downloading the file.

In itself, this is not a big issue as one would have to guess any given 
filename.  However, EFSWS always uses the common file name "FILES.SDB" to store 
all the files being published.  This file is stored in the root program 
directory.  While the EFSWS product engine filters out many file types, it does 
NOT filter out FILES.SDB.  If you know someone is running EFSWS, one simply has 
to access the following URL to anonymously download the FILES.SDB file without 
authentication:
https://www.SiteRunningEFSWS.com/files.sdb

This will download the FILES.SDB file and will allow an attacker to see every 
published file via the free viewer record by record. (You can of course view 
the db as a text file).  Entries look like this:

"V:\rootDirForFiles\applications\Acronis Disk Director Suite 
10.2160\ioware-w32-x86-30.exe"
"D:\anotherdir\music\crystalmethod\boom.mp3"

One can now access files directly by removing the drive letter and top 
directory as follows:
https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3

With the ease of database access to filenames, it is trivial to script up a 
client app to download all published files on the server without authentication 
over SSL.

Further, it is trivial to determine if someone is running EFSWS, even on an 
alternate port, by using the following Googledork:  inurl:vfolder.ghp.  There 
are other more accurate Googledorks, but I'll leave that up to the researcher.

This will show the (typically) unique file "vfolder.gph" results, where you can 
retrieve the full company URL from, including portnumber.  This too can be 
scripted.

I am still trying different methods to access the USERS.SDB file, also in the 
root application directory, which contains all users (even administrative) and 
passwords (in the clear) in an effort to bypass any mandatory authentication 
applied, but have not found a way to gain access to this file externally yet.

Vulnerable Versions:
The current version is 5.0, released in August of this year.  While certain 
vulnerability testing took place in our Hammer of God labs in Bermuda, we were 
not able to check all versions of the software.  Self-assessment is trivial, so 
we will leave it up to user to perform his/her own testing.


Summary:
Many companies use EFSWS to "securely" publish files for access to employees, 
vendors, and customers via SSL controlled by credential logon.  By default, 
files published may be accesses anonymously if the full file name is used.  
Full filename details can be anonymously downloaded by accessing the FILES.SDB 
file, thus immediately allowing anonymous access to any file an attacker wants. 
 Note that other system files (such as logs) can also be accessed.  A 
googledork allows for searching against systems running EFSWS, thus providing a 
fully scriptable attack against all servers running this product for an 
anonymous attacker to download all files from all servers over SSL.

Work-arounds:
Ensure that all file access requires logon.  Use ISA/TMG to filter requests for 
/files.sdb.

Get hammered at HammerofGod.com


--------------------
Timothy Thor Mullen
thor@xxxxxxxxxxxxxxx<mailto:thor@xxxxxxxxxxxxxxx>
www.hammerofgod.com<http://www.hammerofgod.com>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
  - From: Thor (Hammer of God)
- Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
  - From: Rohit Patnaik

Prev by Date: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
Next by Date: Re: [Full-disclosure] Google Chrome 3.0.195.33 leaks DNS data queries outsitde of proxy if dns pre-fetching is enabled
Previous by thread: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
Next by thread: [Full-disclosure] Cisco Security Advisory: Multiple Cisco WebEx WRF Player Vulnerabilities
Index(es):
- Date
- Thread