File Access Vulnerability in Easy File Sharing Web Server Discovered by: Timothy "Thor" Mullen
Testing by Steve "Raging Haggis" Moffat, Hammer of God, Bermuda Labs Product: Easy File Sharing Web Server, current versions, default installation Vendor: http://www.sharing-file.com/ Vendor Notification and Disclosure: 08/22/09: EFSW support notified of issue. 08/22/09: EFSW said it is not an issue because you can turn off direct file access. 08/23/09: EFSW support notified that FILES.SDB file can be directly accessed. 08/24/09: EFSW replied, saying 'no, you can't access the file,' even though you can. 12/15/09: Hammer of God released full details after waiting 4 months for vendor to fix. About: Easy File Sharing Web Server is an extremely popular web-based file sharing application that has been in use for years. It is a fast, easy to use commercial, standalone "all-in-one" file-sharing web server. Customers use a built-in interface to point to files they wish to publish via a menu-driven web application (typically full drives or directories). Files can be shared anonymously, or via EFSWS's built-in user management. EFSWS has built-in SSL encryption to prevent logons from being sent in the clear (as well as all other access). Users log in, and are presented with a menu of files that have been published and that are made available for download. EFSWS uses the MGH Software "myDB" database plug-in to store db information such as file location, user information (password in the clear), files, forum information, etc. A free db parser is available at: http://www.mghsoft.com/ Please see vendor site and db engine site for more details. Vulnerability details: By default, EFSWS allows a user to download a file directly via a URL if the file name is known. For example, if the file name posted is MyFileName1234.exe, then one could go directly to: https://www.SiteRunningEFSWS.com/MyFileName1234.exe and immediately begin downloading the file. In itself, this is not a big issue as one would have to guess any given filename. However, EFSWS always uses the common file name "FILES.SDB" to store all the files being published. This file is stored in the root program directory. While the EFSWS product engine filters out many file types, it does NOT filter out FILES.SDB. If you know someone is running EFSWS, one simply has to access the following URL to anonymously download the FILES.SDB file without authentication: https://www.SiteRunningEFSWS.com/files.sdb This will download the FILES.SDB file and will allow an attacker to see every published file via the free viewer record by record. (You can of course view the db as a text file). Entries look like this: "V:\rootDirForFiles\applications\Acronis Disk Director Suite 10.2160\ioware-w32-x86-30.exe" "D:\anotherdir\music\crystalmethod\boom.mp3" One can now access files directly by removing the drive letter and top directory as follows: https://www.SiteRunningEFSWS.com/music/crystalmethod/boom.mp3 With the ease of database access to filenames, it is trivial to script up a client app to download all published files on the server without authentication over SSL. Further, it is trivial to determine if someone is running EFSWS, even on an alternate port, by using the following Googledork: inurl:vfolder.ghp. There are other more accurate Googledorks, but I'll leave that up to the researcher. This will show the (typically) unique file "vfolder.gph" results, where you can retrieve the full company URL from, including portnumber. This too can be scripted. I am still trying different methods to access the USERS.SDB file, also in the root application directory, which contains all users (even administrative) and passwords (in the clear) in an effort to bypass any mandatory authentication applied, but have not found a way to gain access to this file externally yet. Vulnerable Versions: The current version is 5.0, released in August of this year. While certain vulnerability testing took place in our Hammer of God labs in Bermuda, we were not able to check all versions of the software. Self-assessment is trivial, so we will leave it up to user to perform his/her own testing. Summary: Many companies use EFSWS to "securely" publish files for access to employees, vendors, and customers via SSL controlled by credential logon. By default, files published may be accesses anonymously if the full file name is used. Full filename details can be anonymously downloaded by accessing the FILES.SDB file, thus immediately allowing anonymous access to any file an attacker wants. Note that other system files (such as logs) can also be accessed. A googledork allows for searching against systems running EFSWS, thus providing a fully scriptable attack against all servers running this product for an anonymous attacker to download all files from all servers over SSL. Work-arounds: Ensure that all file access requires logon. Use ISA/TMG to filter requests for /files.sdb. Get hammered at HammerofGod.com -------------------- Timothy Thor Mullen t...@hammerofgod.com www.hammerofgod.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
