search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Rejetto HTTP File Server (HFS) search feature fails to handle null bytes

Vulnerability Note VU#251276

Original Release Date: 2014-10-06 | Last Revised: 2014-10-06

Overview

Rejetto HTTP File Server (HFS) search feature in versions 2.3, 2.3a, and 2.3b fails to handle null bytes.

Description

CWE-158: Improper Neutralization of Null Byte or NUL Character - CVE-2014-6287

Rejetto HFS versions 2.3, 2.3a, and 2.3b are vulnerable to remote command execution due to a regular expression in parserLib.pas that fails to handle null bytes. Commands that follow a null byte in the search string are executed on the host system. As an example, the following search submitted to a vulnerable HFS instance launches calculator on the host Microsoft Windows system:

http://<vulnerable instance>/?search==%00{.exec|calc.}

Note that this vulnerability is being exploited in the wild. A Metasploit module has been released to exploit this vulnerability.

Impact

A remote, unauthenticated user may be able to run arbitrary operating system commands on the server.

Solution

Apply an update
This issue is addressed in HFS version 2.3c and later, available here.

Vendor Information

251276
 
Affected   Unknown   Unaffected

Rejetto

Notified:  October 03, 2014 Updated:  October 06, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Addendum

This issue is addressed in HFS version 2.3c and later, available here.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 6.2 E:F/RL:OF/RC:C
Environmental 4.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2014-6287
Date Public: 2014-09-11
Date First Published: 2014-10-06
Date Last Updated: 2014-10-06 19:16 UTC
Document Revision: 14

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.