cbcvebase.
CVE-2014-6287
published 2014-10-07

CVE-2014-6287: The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
99.32%
99.9th percentile
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.

Affected

1 ranges
VendorProductVersion rangeFixed in
rejettohttp_file_server>= 2.3 < 2.3c2.3c

Detection & IOCsextracted from sources · hover to see the quote

hash14f8dc79113b6a2d3f378d2046dbc4a9a7c605ce24cfa5ef9f4e8f5406cfd84d
hash3596e8fa5e19e860a2029fa4ab7a4f95fadf073feb88e4f82b19a093e1e2737c
hash4bc1a84ddbbb360e3026e8ec1d0e1eff02a100cf01888e7e2a2ac6a105c71450
hashaa259b168ec448349e91a9d560569bdb6fabd811d78888c6080065a549f60cb0
command%00 sequence in a search action
processmshta.exe
pathC:\inetpub\
pathC:\xampp\
pathC:\wamp\
pathC:\phpStudy\PHPTutorial\WWW\
  • Hunt for mshta.exe spawned by an HFS/web server process as a child process — this is the execution chain used by CVE-2014-6287 exploitation in BlackSquid
  • Use Metasploit module exploit/windows/http/rejetto_hfs_exec to validate exposure; target is HttpFileServer httpd 2.3 on TCP/80
  • Detect the null-byte search request pattern in HTTP traffic to HFS: look for GET requests to the HFS search endpoint containing '%00' in the query string
  • ·CVE-2014-6287 only affects Rejetto HFS versions 2.3x before 2.3c; systems running 2.3c or later are not vulnerable
  • ·BlackSquid employs anti-VM, anti-debug, and anti-sandbox checks before executing its exploit chain; detections in sandbox environments may not trigger the CVE-2014-6287 payload
  • ·The hardware breakpoint evasion routine in BlackSquid is hard-coded at 0 (disabled) as of the analyzed sample, meaning this specific check may not be active in all variants

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.