eFileGo 3.01 Multiple Vulnerabilities

Severity:
Critical

Date of release:
31/12/2005

Product url:
http://www.paqtool.com/download.html


Description:
A file share http server. Safely as p2p software, no client needed. You friend can download file from your computer by internet browser
quickly. This software is an easy&fast-send-files software that runs under Windows 95/98/NT/ME/2000/XP. When you want to send a large file,
photos, images, programs, folders and a website etc. on your computer, please try eFileGo. It can send large files that e-mail program
can't do. This software can make receiver visited your computer directly. Your computer will become a server. You just click one button.
It will finish. You need not to wait for an attachment being sent via an email anymore.


Vulnerability Analysis:
Multiple Vulnerabilities have been identified in eFileGo 3.01 that may be used by a remote attacker to succesfully compromise a remote
system. 

(1) Directory Traversal attack & Directory Listing

A directory traversal vulnerability is caused due to an input validation error making it possible to escape the user configured root folder and 
retrieve arbitrary files on the system via directory traversal attacks using the ".../.../" character sequence.

Example:
http://[host]:608/.../.../.../.../.../windows/
http://[host]:608/.../.../.../.../.../.../windows/explorer.exe


(2) Remote Command Execution

Using the Directory traversal attack disussed above is is possible to execute commands remotely using cmd.exe.

Example:
http://[host]:608/.../.../.../.../.../.../.../.../windows/system32/cmd.exe?/c+dir
This command will list all the file in the /windows/system32/ folder.Be imaginative...



(3) Upload.exe Denial of Service and file upload vulnerability

i) A Denial of service condition have been identified in upload.exe that will make the system consume 50-60% cpu usage. The problem
takes place if the file upload.exe that is used by users to upload new files to the server takes an invalid upload directory as a parametre.
example:
http://[host]:608/dasjf9832root/cgi-bin/upload.exe?/some_random_directory...

ii) A second vulnerability exists in upload.exe that may be used by remote malicious users to upload files anywhere on the hard disk.
In order for this bug to work succesfully must be combined with the directory traversal bug above. 
Example: LEts say that i want to put the file nc.exe into /windows folder. The first thing i have to do is to use the
http://[host]/.../.../.../.../.../windows/ and then just use the upload function to upload the file to the /windows folder.
Finally we will get something like this:
(http://[host]:608/dasjf9832root/cgi-bin/upload.exe?/.../.../.../.../.../.../windows/)
Local file "C:\test\nc.exe" is uploaded to the server successfully.

***Be carefull! if you try to access directly the /cgi-bin/upload.exe?/.../.../.../.../.../.../windows/ without having use the traversal bug
first it won't work and the file nc.exe will result in the already specified folder.


credit:
dr_insane