Vulnerability Note VU#251276
Rejetto HTTP File Server (HFS) search feature fails to handle null bytes
Original Release date: 06 Oct 2014 | Last revised: 06 Oct 2014

Overview
Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.

Description
CWE-158: Improper Neutralization of Null Byte or NUL Character – CVE-2014-6287
Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:

http://<vulnerable instance>/?search==%00{.exec|calc.}

Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.

Impact
A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.

Solution
Apply an update
This issue is addressed in HFS version 2.3c and later, available here.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedRejettoAffected03 Oct 201406 Oct 2014If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal
6.2
E:F/RL:OF/RC:C

Environmental
4.6
CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://cwe.mitre.org/data/definitions/158.html
http://www.rejetto.com/hfs/
http://sourceforge.net/projects/hfs/
http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html
https://github.com/rapid7/metasploit-framework/pull/3793

Credit
This document was written by Joel Land.

Other Information

CVE IDs:
CVE-2014-6287

Date Public:
11 Sep 2014

Date First Published:
06 Oct 2014

Date Last Updated:
06 Oct 2014

Document Revision:
14

FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.

Leave a Reply