Discovery Date: 1.16.2008
Release Date: 1.23.2008
Affected Applications: HFS 2.2 to and including 2.3(Beta Build #174)
Non-Affected Applications: HFS 2.1d and earlier versions
Class: Arbitrary File/Directory Manipulation, Denial of Service
Status: Patch available/Vendor informed
Vendor: Massimo Melina
Vendor URL: http://www.rejetto.com/hfs -or- hfs.sourceforge.net
The Common Vulnerabilities and Exposures (CVE) project has assigned the following CVEs to these vulnerabilities:
- CVE-2008-0405 - Arbitrary File/Folder Creation Vulnerability
- CVE-2008-0406 - Denial of Service (DoS) Vulnerability
Overview: HFS is a very popular open source HTTP server designed for easily sharing files. According to information on the official website, the HTTP File Server software has been downloaded about 2 million times.
Description: HFS (versions 2.2 to 2.3 beta) will not check if an account name provided during navigation exists or contains any invalid chars before logging information about a request. This is specially dangerous if the server has been configured to use account names as log filenames.
In this case, a remote attacker can use this flaw to create arbitrary files, append data to arbitrary files, create arbitrary folders or launch a DoS attack against the server. Technical details are included below.
Details (Replicating the issues):
1) Arbitrary File/Directory Manipulation Vulnerability
See the mkd and manipf commands
Example 1 - Arbitrary Directory Creation:
If HFS is running (for e.g.) in the C:\HFS directory, you can create the C:\Syhunt\ directory by entering:
Example 2 - Arbitrary File Creation/Manipulation:
manipf [localfilename] [remotefilename]
manipf inject.html ..\Syhunt\index.html
This example would create the file C:\Syhunt\index.html and append the content of the file inject.html to it.
2) Denial of Service (DoS) Vulnerability
- HFS will close immediately after receiving the DoS request
- This issue is related to Windows limitations with long
filenames. XP has a limit of 255 characters; Windows Vista a 260 chars limit.
Vulnerability Status: The vendor was contacted and has immediately released HFS 2.2c which fixes these problems. The new version can be downloaded at www.rejetto.com/hfs/download or via the "Check for news/updates" option in the HFS menu.
As a workaround for the affected releases, users can temporarily disable the logging feature or remove the symbol from the log filename.
Testers of HFS 2.3 Beta should upgrade to the latest 2.3 beta build.
HFS 2.3 Beta specifically is only affected if the option "Accept any login for unprotected resources" is enabled. This option, introduced in this version, is disabled by default.
Felipe Aragon and Alec Storm
Syhunt Security Research Team, www.syhunt.com
Copyright © 2008 Syhunt Security
Disclaimer: The information in this advisory is provided "as is" without warranty of any kind. Details provided are strictly for educational and defensive purposes.
Syhunt is not liable for any damages caused by direct or indirect use of the information provided by this advisory.