Exploiting Hosting Controller 0.6.1 Hotfix 1.4 Directory Browsing Vulnerability

What this paper is

This paper describes a security vulnerability in Hosting Controller, a web hosting automation software for Windows servers. Specifically, it details how versions up to and including v.6.1 Hotfix 1.4 suffer from a directory browsing flaw. This flaw allows an authenticated user to view any file or directory on the server by manipulating specific URLs. The vendor was notified and released a patch.

Simple technical breakdown

The vulnerability lies in two ASP (Active Server Pages) files: Statsbrowse.asp and Generalbrowse.asp. These files are intended for administrative use within the Hosting Controller interface. However, due to improper input validation, an attacker can provide malicious FilePath parameters to these scripts. This allows them to navigate the server's file system, effectively reading any file or directory they choose, provided they have valid login credentials for the Hosting Controller admin interface.

Complete code and payload walkthrough

This paper does not contain any executable code or shellcode. It describes a vulnerability that is exploited by crafting specific HTTP requests. The "payload" in this context is the crafted URL itself.

Here's a breakdown of the exploit mechanism as described:

• Vulnerability Point 1: admin/mail/Statsbrowse.asp

  • Exploit URL Structure: http://www.yoursite.com/admin/mail/Statsbrowse.asp?FilePath=c:\&Opt=3&level=1&upflag=0
  • **FilePath=c:\**: This parameter is intended to specify a directory path. By setting it to c:\, the attacker attempts to access the root of the C: drive.
  • Opt=3: This parameter likely controls the operation or view mode. The value 3 is used to trigger the directory browsing functionality.
  • level=1: This parameter might relate to the depth of directory traversal or a specific view level.
  • upflag=0: This parameter's exact function is not explicitly detailed, but its value 0 is used in the exploit.
  • Behavior: When this URL is accessed by an authenticated user, the Statsbrowse.asp script is expected to process the FilePath and display its contents. Due to the vulnerability, it fails to restrict access and instead lists the files and directories within c:\.

• Vulnerability Point 2: admin/iis/Generalbrowse.asp

  • Exploit URL Structure: http://www.yoursite.com/admin/iis/Generalbrowse.asp?FilePath=C:\
  • **FilePath=C:\**: Similar to the first vulnerability, this parameter specifies the target directory. Setting it to C:\ aims to access the root of the C: drive.
  • Behavior: The Generalbrowse.asp script, when accessed with this crafted URL by an authenticated user, is also expected to list the contents of the specified path. The vulnerability allows it to display the file system structure of C:\.

Mapping:

• Statsbrowse.asp + FilePath=c:\&Opt=3&level=1&upflag=0 -> Directory browsing of the C: drive root.
• Generalbrowse.asp + FilePath=C:\ -> Directory browsing of the C: drive root.

Note: The paper does not provide the source code for these ASP files, so the exact internal logic and how the parameters are processed remain unknown beyond their observed effect.

Practical details for offensive operations teams

• Required Access Level: Authenticated user access to the Hosting Controller administrative interface is required. This is not an unauthenticated remote code execution vulnerability.
• Lab Preconditions:
  • A lab environment with Hosting Controller v.6.1 Hotfix 1.4 (or an unpatched earlier version) installed on a Windows server.
  • A valid set of administrative credentials for the Hosting Controller.
  • A web browser capable of making HTTP requests.
• Tooling Assumptions:
  • Standard web browser for crafting and submitting URLs.
  • Tools like curl or wget could be used for scripting or automating requests.
  • Proxy tools like Burp Suite or OWASP ZAP would be invaluable for intercepting, modifying, and replaying requests, as well as for exploring the file system once initial access is gained.
• Execution Pitfalls:
  • Authentication Bypass: The primary prerequisite is having valid credentials. If credentials cannot be obtained through other means (e.g., phishing, weak passwords, other vulnerabilities), this exploit is not directly usable.
  • Incorrect URL Structure: Minor typos or incorrect parameter values will prevent the exploit from working. The exact parameters (Opt, level, upflag) might vary slightly in behavior or be different in other unpatched versions, requiring reconnaissance.
  • File System Permissions: While the vulnerability allows browsing, the ability to read specific files might still be subject to underlying Windows file system permissions. The exploit allows browsing directories, but accessing sensitive files within those directories depends on the permissions of the Hosting Controller service account or the user context under which the ASP pages are executed.
  • Logging: All requests to these ASP files will likely be logged by the web server (IIS) and potentially by Hosting Controller itself.
  • Patching: The vendor released a patch. If the target system is updated, this specific vulnerability will not be present.
• Tradecraft Considerations:
  • Reconnaissance: Identify the Hosting Controller installation and its administrative URL. Attempt to gain valid credentials.
  • Stealth: Once authenticated, use a proxy tool to craft and test the exploit URLs. Avoid direct, obvious browsing that might trigger alerts.
  • Information Gathering: Use the directory browsing to identify sensitive configuration files, user data, or other valuable information. The goal is to find actionable intelligence for further exploitation or data exfiltration.
  • Persistence: This vulnerability itself does not provide persistence. Any persistence mechanisms would need to be established through other means after gaining access to sensitive information or executing other code.

Where this was used and when

• Discovery Date: May 6, 2004.
• Advisory Release Date: December 7, 2004.
• Publication Date (milw0rm): December 5, 2004.
• Context: This vulnerability was likely exploited in the wild by attackers who had already gained authenticated access to Hosting Controller instances. Its primary use would have been for reconnaissance and information gathering on compromised hosting environments. Given the publication date, it's most relevant to the mid-2000s.

Defensive lessons for modern teams

• Input Validation is Crucial: Never trust user-supplied input, especially when it's used in file path operations. Always sanitize and validate input to prevent directory traversal attacks.
• Principle of Least Privilege: Ensure that web applications and their components run with the minimum necessary privileges. The service account running the web server and application should not have broad file system access unless absolutely required.
• Secure Configuration Management: Regularly review application configurations for security best practices. Ensure administrative interfaces are properly secured and that unnecessary features are disabled.
• Patch Management: Promptly apply vendor-supplied security patches. This vulnerability was addressed by the vendor, highlighting the importance of keeping software up-to-date.
• Web Application Firewalls (WAFs): WAFs can help detect and block common web attack patterns, including directory traversal attempts, by analyzing request URLs and parameters.
• Logging and Monitoring: Implement comprehensive logging for web server access and application events. Monitor these logs for suspicious activity, such as unusual URL patterns or access to sensitive directories.

ASCII visual (if applicable)

This vulnerability is a direct manipulation of URLs within an authenticated session. An ASCII diagram for this specific exploit is not particularly helpful as it's a linear request-response interaction. However, a simplified flow could be:

+-----------------+       +-----------------------+       +---------------------+
| Attacker (Auth) | ----> | Hosting Controller    | ----> | Web Server (IIS)    |
| (Browser/Proxy) |       | Admin Interface       |       |                     |
+-----------------+       +-----------------------+       +---------------------+
        |                                                         |
        | Crafted URL (e.g., .../Statsbrowse.asp?FilePath=C:\)     |
        |                                                         |
        v                                                         v
+-----------------------------------------------------------------+
| Vulnerable ASP Script (Statsbrowse.asp / Generalbrowse.asp)     |
| (Fails to validate FilePath, allows traversal)                  |
+-----------------------------------------------------------------+
        |
        | Reads/Lists files/directories from server's filesystem
        | (subject to OS permissions)
        |
        v
+-----------------------------------------------------------------+
| Attacker receives directory listing or file content in response |
+-----------------------------------------------------------------+

Source references

• Paper URL: https://www.exploit-db.com/papers/675
• Raw URL: https://www.exploit-db.com/raw/675
• Vendor Homepage: http://www.hostingcontroller.com (Note: This URL may no longer be active or may redirect.)
• References from paper:
  • http://isun.Shabgard.org/hc.html
  • http://isun.Shabgard.org/hc.txt

Original Exploit-DB Content (Verbatim)

Advisory Information
-------------------------

Software Package   	: Hosting Controller
Vendor Homepage    	: http://www.hostingcontroller.com
Platforms          		: Windows based servers
Vulnerable Versions	: All version ( Tested on: v.6.1 Hotfix 1.4 )
Vendor Contacted  	: 12/5/2004
Release Date:      	: 12/7/2004

Summary
------------

Hosting Controller is a complete array of Web hosting automation tools
for the Windows Server family platform.
Hosting Controller has a security flaw which allows attackers to browse
any file and any directory on that server.

Details
---------

Vulnerability - Directories Browsing files on the system.
Foolish vulnerability:

1)This vulnerability is on the admin/mail/Statsbrowse.asp and attackers
can view the Harddisk by using this file.
Login with your account
http://www.yoursite.com/admin
Now you see
http://www.yoursite.com/admin/main.asp
Change this url to
http://www.yoursite.com/admin/mail/Statsbrowse.asp?FilePath=c:\&Opt=3&level=1&upflag=0

2)This vulnerability is on the admin/iis/Generalbrowse.asp and attackers
can view the Harddisk by using this file.
Login with your account
http://www.yoursite.com/admin
Now you see
http://www.yoursite.com/admin/main.asp
Change this url to <br/>
http://www.yoursite.com/admin/iis/Generalbrowse.asp?FilePath=C:\

Solution
----------

The vender was notified, they have released a patch.
Update Your software

Credits
---------

Discovered on May 6, 2004 by (\/) Mouse
Mouse@Shabgard.org
Additional Research: s7az2mm and bl2k
http://Shabgard.org

References
-------------

http://isun.Shabgard.org/hc.html
http://isun.Shabgard.org/hc.txt

# milw0rm.com [2004-12-05]