Re: File Access Vulnerability in Easy File Sharing Web Server

[Rohit Patnaik <quanticle () gmail com>]

Wow.  Very nice find.  One question: all the cited tools are Windows
executables.  Has there been any attempt to run the database viewer in Linux
via Wine?  I'm wondering if I'm going to have to set up a VM to try to
confirm this, or if I can try to do this via Wine.

Although the n3td3v drama is entertaining, its finds like this which keep me
subscribed to this list.

Thanks again,
Rohit Patnaik

On Tue, Dec 15, 2009 at 6:16 PM, Thor (Hammer of God)
<thor () hammerofgod com>wrote:

> File Access Vulnerability in Easy File Sharing Web Server
>
> Discovered by:
> Timothy "Thor" Mullen
>
>
> Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs
>
> Product:        Easy File Sharing Web Server, current versions, default
> installation
> Vendor:         http://www.sharing-file.com/
>
> Vendor Notification and Disclosure:
> 08/22/09: EFSW support notified of issue.
> 08/22/09: EFSW said it is not an issue because you can turn off direct file
> access.
> 08/23/09: EFSW support notified that FILES.SDB file can be directly
> accessed.
> 08/24/09: EFSW replied, saying 'no, you can't access the file,' even though
> you can.
> 12/15/09: Hammer of God released full details after waiting 4 months for
> vendor to fix.
>
> About:
> Easy File Sharing Web Server is an extremely popular web-based file sharing
> application that has been in use for years.
> It is a fast, easy to use commercial, standalone "all-in-one" file-sharing
> web server.
>
> Customers use a built-in interface to point to files they wish to publish
> via a menu-driven web application (typically full drives or directories).
>  Files can be shared anonymously, or via EFSWS's built-in user management.
> EFSWS has built-in SSL encryption to prevent logons from being sent in the
> clear (as well as all other access).    Users log in, and are presented with
> a menu of files that have been published and that are made available for
> download.
>
> EFSWS uses the MGH Software "myDB" database plug-in to store db information
> such as file location, user information (password in the clear), files,
> forum information, etc.   A free db parser is available at:
> http://www.mghsoft.com/
>
> Please see vendor site and db engine site for more details.
>
> Vulnerability details:
> By default, EFSWS allows a user to download a file directly via a URL if
> the file name is known.  For example, if the file name posted is
> MyFileName1234.exe, then one could go directly to:
> https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin
> downloading the file.
>
> In itself, this is not a big issue as one would have to guess any given
> filename.  However, EFSWS always uses the common file name "FILES.SDB" to
> store all the files being published.  This file is stored in the root
> program directory.  While the EFSWS product engine filters out many file
> types, it does NOT filter out FILES.SDB.  If you know someone is running
> EFSWS, one simply has to access the following URL to anonymously download
> the FILES.SDB file without authentication:
> https://www.SiteRunningEFSWS.com/files.sdb
>
> This will download the FILES.SDB file and will allow an attacker to see
> every published file via the free viewer record by record. (You can of
> course view the db as a text file).  Entries look like this:
>
> "V:\rootDirForFiles\applications\Acronis Disk Director Suite
> 10.2160\ioware-w32-x86-30.exe"
> "D:\anotherdir\music\crystalmethod\boom.mp3"
>
> One can now access files directly by removing the drive letter and top
> directory as follows:
> https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3
>
> With the ease of database access to filenames, it is trivial to script up a
> client app to download all published files on the server without
> authentication over SSL.
>
> Further, it is trivial to determine if someone is running EFSWS, even on an
> alternate port, by using the following Googledork:  inurl:vfolder.ghp.
>  There are other more accurate Googledorks, but I'll leave that up to the
> researcher.
>
> This will show the (typically) unique file "vfolder.gph" results, where you
> can retrieve the full company URL from, including portnumber.  This too can
> be scripted.
>
> I am still trying different methods to access the USERS.SDB file, also in
> the root application directory, which contains all users (even
> administrative) and passwords (in the clear) in an effort to bypass any
> mandatory authentication applied, but have not found a way to gain access to
> this file externally yet.
>
> Vulnerable Versions:
> The current version is 5.0, released in August of this year.  While certain
> vulnerability testing took place in our Hammer of God labs in Bermuda, we
> were not able to check all versions of the software.  Self-assessment is
> trivial, so we will leave it up to user to perform his/her own testing.
>
>
> Summary:
> Many companies use EFSWS to "securely" publish files for access to
> employees, vendors, and customers via SSL controlled by credential logon.
>  By default, files published may be accesses anonymously if the full file
> name is used.  Full filename details can be anonymously downloaded by
> accessing the FILES.SDB file, thus immediately allowing anonymous access to
> any file an attacker wants.  Note that other system files (such as logs) can
> also be accessed.  A googledork allows for searching against systems running
> EFSWS, thus providing a fully scriptable attack against all servers running
> this product for an anonymous attacker to download all files from all
> servers over SSL.
>
> Work-arounds:
> Ensure that all file access requires logon.  Use ISA/TMG to filter requests
> for /files.sdb.
>
> Get hammered at HammerofGod.com
>
>
> --------------------
> Timothy Thor Mullen
> thor () hammerofgod com
> www.hammerofgod.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/