file/sharing
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
Wow. Very nice find. One question: all the cited tools are Windows executables. Has there been any attempt to run the database viewer in Linux via Wine? I'm wondering if I'm going to have to set up a VM to try to confirm this, or if I can try to do this via Wine.
Although the n3td3v drama is entertaining, its finds like this which keep me subscribed to this list.
File Access Vulnerability in Easy File Sharing Web Server
Discovered by:
Timothy "Thor" Mullen
Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs
Product: Easy File Sharing Web Server, current versions, default installation
Vendor: http://www.sharing-file.com/
Vendor : http://www.attachmax.com/
Description :
Attachmax allows you to run your very own youtube Video Community site, just like popular Videos sites
such as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,
following the trend of other popular File Sharing communities such as Imageshack and Rapidshare.
So not only do you get a fully functional Video Script, but a complete File Sharing Website.
---------------------------------------------------------------------------
Vulnerability:
#######################################################################
Luigi Auriemma
Application: Easy File Sharing Web Server
http://www.sharing-file.com
Versions: <= 4.5
Platforms: Windows
Bugs: A] upload directory traversal
B] download of database files
Problem Description:
Multiple vulnerabilities has been found and corrected in samba:
The SMB (aka Samba) subsystem in Apple Mac OS X 10.5.8, when Windows
File Sharing is enabled, does not properly handle errors in resolving
pathnames, which allows remote authenticated users to bypass intended
sharing restrictions, and read, create, or modify files, in certain
circumstances involving user accounts that lack home directories
(CVE-2009-2813).
3.3.6, when dos filemode is enabled, allows remote attackers to modify
access control lists for files via vectors related to read access to
uninitialized memory (CVE-2009-1888).
The SMB (aka Samba) subsystem in Apple Mac OS X 10.5.8, when Windows
File Sharing is enabled, does not properly handle errors in resolving
pathnames, which allows remote authenticated users to bypass intended
sharing restrictions, and read, create, or modify files, in certain
circumstances involving user accounts that lack home directories
(CVE-2009-2813).
Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
The only requirement is that the attacker must have authentication and authorization privileges over Bluetooth. Pairing up with the remote device should be enough to get it; however, more sophisticated attacks, such as sniffing the Bluetooth pairing, linkkey cracking and BD_ADDR address spoofing, can be used in order to avoid this. Devices must have Bluetooth enabled and File Sharing over Bluetooth service active when the attack is performed. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
The scope of the Directory Traversal vulnerability allows the attacker to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks. This security flaw leads to browse folders located anywhere in the file system, download files contained in any folder as well as upload files to any folder.
A remote attacker who previously owned authentication and authorization rights over Bluetooth can perform three risky actions on the device:
#########################################################################################
[Info]: Easy to use web server for Windows and UNIX. Mongoose provides simple and clean API
for embedding it into existing programs. Targeting Web application developers, embedded system developers,
and people who need to setup file sharing quickly.
[Site]: http://code.google.com/p/mongoose/
[Vulnerability]:
Jun 16, 2010
I. BACKGROUND
Samba is an open-source Unix server application used to implement
Windows file sharing and domain controlling functionality. For more
information, please visit: http://www.samba.org
II. DESCRIPTION
Remote exploitation of a buffer overflow vulnerability within Samba
Hello,
I have found an XSS vulnerability in ClarkConnect web interface.
ClarkConnect is an internet server and gateway that provides protocol filtering, bandwidth management, Windows File Sharing / Samba, LDAP Directory Integration and other features...
The vulnerability was found in the latest version of this product (5.0).
ClarkConnect installs a Web server on port 82 to process the PHP scripts it uses for configuration.
Proof of concept:
http://server_address:82/public/proxy.php?url=<script>alert("XSS")</script>
Zone with a custom security setting.
. Only run IE in Protected Mode if it is available on the operating
system.
. Use a different web browser to navigate untrusted web sites.
Additionally, although disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
may not prevent exploitation it is generally a good security measure to
prevent disclosure of sensitive information such as valid usernames of
endpoint users.
Hi Francisco,
It would have been cool to mention Microsoft SharePoint as an example of
a popular file sharing system that allows persistent XSS through shared
HTML files. i.e.:
https://moss.company.foo/_catalogs/users/Attachments/<userID>/evil.html
https://moss.company.foo/<siteName>/<SectionName>/evil.html
Where 'evil.html' would be a page containing JavaScript. i.e.:
controls.
. Disable Active Scripting for the Internet and Local Intranet zones
manually with a custom security setting.
. Use a different web browser to navigate untrusted web sites.
Additionally, disabling file sharing if it is not necessary and
filtering outbound SMB connections at the endpoint or network perimeter
are good security measures to prevent disclosure of sensitive
information such as valid user, system and domain names that could be
used to perform attacks that abuse the vulnerabilities described in this
advisory.
Problem type : local(remote)
Debian-specific: no
CVE Id(s) : CVE-2010-0012
Dan Rosenberg discovered that Transmission, a lightwight client for
the Bittorrent filesharing protocol performs insufficient sanitising
of file names specified in .torrent files. This could lead to the
overwrite of local files with the privileges of the user running
Transmission if the user is tricked into opening a malicious torrent
file.
Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r@b13$
Vulnerability Description
-------------------------
BadBlue is a web server used for peer-to-peer file sharing. By default, several executable files are stored in the web root: badblue.exe, uninst.exe, and dyndns.exe. Executable files stored in the web root of BadBlue can be launched remotely by any user. This can be leveraged to create a DoS condition by repeatedly invoking the uninst.exe executable. Due to the fact that BadBlue has not released a patch for the previously documented directory traversal vulnerability (CVE 2007-6378), an attacker may utilize these two flaws in conjunction to place a malicious executable in the web root and compromise a vulnerable server.
Solution Description
--------------------
Restrict access to the executables already in the web root (badblue.exe, uninst.exe, and dyndns.exe) and take steps to ensure that users cannot write files to the web root.
I. BACKGROUND
The snoop command line utility is installed by default on Solaris. It is
used to capture and display network traffic, similar to the widely used
tcpdump program. Server Message Block (SMB), is a network protocol used
for Microsoft Windows file sharing. More information can be found on the
vendor's website at the following URL.
http://docs.sun.com/app/docs/doc/816-0211/6m6nc677k?a=view
II. DESCRIPTION
legacy protocol, it is still supported on the latest version of Mac OS
X. AppleTalk is compiled into the default kernel, but must be turned on
in order to be used.
ASP, as its name implies, is a Session Layer protocol that is used by
the AppleTalk File Sharing protocol to establish connections with a
peer. More information can be found at the following URL.
http://docs.info.apple.com/article.html?artnum=50039
II. DESCRIPTION
I. BACKGROUND
The snoop command line utility is installed by default on Solaris. It is
used to capture and display network traffic, similar to the widely used
tcpdump program. Server Message Block (SMB), is a network protocol used
for Microsoft Windows file sharing. More information can be found on the
vendor's website at the following URL.
http://docs.sun.com/app/docs/doc/816-0211/6m6nc677k?a=view
II. DESCRIPTION
shell and no password.
Background
==========
MLDonkey is a peer-to-peer filesharing client that connects to several
different peer-to-peer networks, including Overnet and BitTorrent.
Affected packages
=================
Hi Adrian,
>It would have been cool to mention Microsoft SharePoint as an example of
>a popular file sharing system that allows persistent XSS through shared
>HTML files. i.e.:
Thanks for pointing this out. I didn't look at SharePoint, actually. I did look at many others, and didn't find any that took any explicit precautions against XSS through shared files. But I thought there was no need to mention any names in the paper.
Francisco
(IE7/XP full patched)
by rgod, site: http://retrogod.altervista.org/
software site: http://www.imesh.com
"iMesh is a file sharing and online social network. It uses a proprietary,
centralized, P2P protocol. iMesh is owned by an American company iMesh,
Inc. and maintains a development center in Israel.
iMesh was the first company to introduce "swarming" - the ability to download
one file from multiple sources, increasing download speed."
non-trivial.
In order to exploit this vulnerability, a system would have to have
AppleTalk turned on. It would likely be used on a network consisting of
older Mac hosts since previous versions of Mac relied on it to implement
Apple File Sharing.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Mac OS X
10.4.10, Workstation and Server editions. Previous versions may also be
Description
------------------
Webmin is a web-based interface for system administration for Unix.
Using any modern web browser, you can setup user accounts, Apache,
DNS, file sharing and much more.
https://secure.wikimedia.org/wikipedia/en/wiki/Webmin
Details
-------------------
|
