HTTP File Server 2.3.x Remote Command Execution(CVE-2014-6287)

HTTP File Server (HFS)

HFS is a common file sharing software to transfer files over HTTP.  HFS is designed to share files utilizing web technology. Different from classic file sharing because there is no network usage in HFS. Most importantly, HFS is a web server which uses web technology to be more compatible with today’s Internet.

Vulnerability Details

According to post in NVD, “The findMacroMarker function in ParserLib.pas in Rejetto HTTP File server (aka HFS or HTTPFileServer), 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action”.


With no authorization required to exploit this vulnerability and a public exploit available, all the servers running Rejetto HFS 2.3.b can be easily compromised within a second, giving an attacker complete access to the server.
There is an exploit available for this vulnerability in Metasploit’s exploit module. Moreover, there is another exploit, written in python which is published in exploit database in January 2016.

How the exploit works?

Exploit requires two arguments and it opens a URL using urllib2.urlopen using those supplied arguments along with ‘/?search=%00{..}.’

The final request URL looks like: TargetIP:Port/?search=%00{..}.

This exploit creates a vb script file named ‘script.vbs’ which is stored in C:\Users\Public directory and calls for nc.exe from attackers web server running netcat. Then, it executes the script.vbs script in victim’s machine. After the execution of the script, victim’s machine gets connected to attackers web server running netcat.

This exploit is available here.

Current Scenario:

A quick search in shodan with term HFS 3.2b shows there are as many as 43 devices accessible via The Internet till date. Even the bug was addressed and solved in the later version of the HFS long time ago, some high profile companies seems to be unaware about this critical bug. According to shodan, the top countries running this vulnerable version of HFS goes this way:

Top Countries running HFS 2.3b


Update your HFS to the latest version or, at least, 2.3c.

Leave a Reply

Your email address will not be published. Required fields are marked *