Vulnerability analysis of HFS 2.3
According to the CVE details for this vulnerability (CVE-2014-6287), the findMacroMarker
function in parserLib.pas
in Rejetto HTTP File Server (otherwise known as HFS or HttpFileServer) 2.3x (in versions prior to 2.3c) allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
Here is the vulnerable function:
function findMacroMarker(s:string; ofs:integer=1):integer;
begin result:=reMatch(s, '\{[.:]|[.:]\}|\|', 'm!', ofs) end;
The function will not handle a null byte safely, so a request to http://localhost:80/search=%00{.exec|cmd.}
will stop regex from parsing the macro, and remote code injection will happen.
Note
Details about the exploit can be found at https://www.rapid7.com/db/modules/exploit/windows/http/rejetto_hfs_exec ...
Get Mastering Metasploit now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.