Kingsoft 8 Local File Inclusion Scanner

Kingsoft 8 is a comprehensive security management system utilized for endpoint security and used by enterprises to ensure safe computer usage in the workplace. It is typically employed in organizations requiring robust and easily managed security measures to protect sensitive data. The software is renowned for providing features like antivirus protection, firewall functionalities, and system vulnerability scanning, and often integrates into an enterprise's existing security infrastructure. Managed by IT professionals and security teams, Kingsoft 8 operates on various Windows operating systems to maintain security integrity across entire networks. Its primary role is to safeguard systems against unauthorized access, malware, and other security threats. Being a widely used platform, it continuously receives updates to stay relevant with emerging threats.

The Local File Inclusion (LFI) vulnerability allows attackers to include files from the server's filesystem in the server response. This type of vulnerability often arises when user input is not sanitized properly and is passed directly to file inclusion functions without proper validation. LFI can be exploited by attackers to view sensitive files, such as configuration files, that could contain valuable information like system configurations, passwords, or other sensitive parameters. With LFI, attackers can also leverage further attacks if they succeed in reading sensitive information that assists in accessing deeper parts of the system. The risk level is significant, as it could eventually lead to unauthorized data exposure or system compromise. Proper coding practices and input validation can mitigate such vulnerabilities significantly.

In Kingsoft 8, the LFI vulnerability resides in the endpoint "/htmltopdf/downfile.php," specifically in the way file is referenced through the `filename` parameter. This vulnerable parameter allows unauthorized users to fetch arbitrary files, provided they know the exact file path within the server. The script backing this endpoint may not sufficiently enforce path or content validation, allowing attackers to append or traverse directory paths using '../../../' characters to reach sensitive directories or files. The template checks for predictable content that should only exist within a specific file like 'win.ini' on Windows systems, which confirms the exploitation. The header response checks for specifications like 'application/zip' further affirm LFI success, implying incorrect or incomplete validation procedures.

When exploited, this vulnerability may result in unauthorized disclosure of server-stored files, leading to data leakage, file reconnaissance or aiding further exploits like Remote Code Execution. Keys assets such as database credentials, application source codes, and security tokens could be exposed, posing risks to the confidentiality, integrity, and availability of the system data. Attackers might leverage the accessible information for privilege escalation or lateral movement within the network, allowing them to manipulate other systems without authorization. Prevention of LFI and similar vulnerabilities is crucial to maintaining robust application and data security.

REFERENCES

• https://github.com/PeiQi0/PeiQi-WIKI-POC/blob/b6f8fbfef46ad1c3f8d5715dd19b00ca875341c2/_book/PeiQi_Wiki/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/%E9%87%91%E5%B1%B1/%E9%87%91%E5%B1%B1%20V8%20%E7%BB%88%E7%AB%AF%E5%AE%89%E5%85%A8%E7%B3%BB%E7%BB%9F%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md