Vulners
Lucene search
Tandberg VCS Arbitrary File Retrieval
🗓️ 12 Apr 2010 00:00:00Reported by Timothy D. MorganType 
packetstorm🔗 packetstormsecurity.com👁 55 Views
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2009-4511 | 12 Apr 201000:00 | – | circl |
 | CVE-2009-4511 | 13 Apr 201017:00 | – | cve |
 | CVE-2009-4511 | 13 Apr 201017:00 | – | cvelist |
 | EUVD-2009-4477 | 7 Oct 202500:30 | – | euvd |
 | CVE-2009-4511 | 13 Apr 201017:30 | – | nvd |
 | Directory traversal | 13 Apr 201017:30 | – | prion |
 | CVE-2009-4511: TANDBERG VCS Arbitrary File Retrieval | 14 Apr 201000:00 | – | securityvulns |
| CVE-2009-4509: TANDBERG VCS Authentication Bypass | 14 Apr 201000:00 | – | securityvulns |
| TANDBERG Video Communication Server multiple security vulnerabilities | 14 Apr 201000:00 | – | securityvulns |
`-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Virtual Security Research, LLC.
http://www.vsecurity.com/
Security Advisory
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval
Release Date: 2010-04-09
Application: Video Communication Server (VCS)
Versions: x4.3.0, x4.2.1, and possibly earlier
Severity: Medium
Discovered by: Jon Hart
Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com>
Vendor Status: Firmware update released [2]
CVE Candidate: CVE-2009-4511
Reference: http://www.vsecurity.com/resources/advisory/20100409-3/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Product Description
- -------------------
- From [1]:
"The Video Communication Server (VCS) is an integral part of the TANDBERG
Total Solution and is the center of the video communications network,
connecting the benefits of video conferencing and telepresence to other
communications environments including unified communications and IP Telephony
networks."
Vulnerability Overview
- ----------------------
On December 3rd, VSR identified a directory traversal and file retrieval
vulnerability in the TANDBERG's Video Communication Server. This issue would
allow an authenticated attacker (who has access as an administrator or less
privileged user on the web administration interface) to retrieve files from the
filesystem which are readable by the "nobody" system user.
Product Background
- ------------------
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications
devices. The VCS provides a web-based management interface implemented in PHP
which allows administrators to perform a wide variety of actions, including
configuration of the device, management of user accounts, firmware updates,
along with number of other items.
Vulnerability Details
- ---------------------
The TANDBERG VCS web management interface provides two nearly identical scripts
at URLs:
https://vulnerable.example.com/helppage.php
https://vulnerable.example.com/user/helppage.php
These help pages accept a "file" parameter in the URL which can be used to
retrieve nearly arbitrary files from the filesystem. The relevant source code
for these pages is as follows:
// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag in the <head>
// Dig out the page title, from the <title> tag,
// then remove any surround in the page as we add our own...
$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix;
if (! file_exists($filename)) {
$helpHTML = "There is no help available for the ". $_GET['page'] . " page<br/>";
$pageTitle = $_GET['page'];
}else{
$helpHTML = file_get_contents($filename);
...
echo "\n<!-- ********** -->\n";
echo $helpHTML;
echo "<!-- ********** -->\n";
...
// end of excerpt //
Here, the final path string ($filename) loaded and displayed to the user is
prepended with a directory and appended with a file extension. Using simple
directory traversal techniques ("../") it is possible to traverse to any
directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00)
it is also possible to truncate the file path to eliminate the file extension.
For instance, the following URL retrieves the /etc/passwd file:
https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00
During testing, it was found that the x4.2.1 firmware runs the web server as the
"nobody" user, which somewhat limits the amount of sensitive information that
may be obtained. However, since shadowed passwords were not configured, it was
possible to retrieve all local system users' password hashes from /etc/passwd.
Additional password hashes are available in /tandberg/persistent/etc/digest.
Versions Affected
- -----------------
VSR has successfully exploited this issue in firmware version x4.2.1. Based on
preliminary source code analysis[2], versions x4.3.0 and x5.0 also appear to be
vulnerable. Earlier versions have not been tested.
Vendor Response
- ---------------
The following timeline details TANDBERG's response to the reported issue:
2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22 VSR provided TANDBERG a draft advisory.
2009-12-28 TANDBERG provided VSR with a beta version of the x5.0 firmware,
but this did not appear to correct the issue (based on PHP code
analysis alone).
2010-01-22 TANDBERG provided VSR with a beta version of the x5.1 firmware
for testing which appeared to correct the vulnerability.
2010-03-26 TANDBERG provided VSR with a release candidate firmware for
version x5.1.1.
2010-04-07 TANDBERG VCS firmware version x5.1.1 released [2].
2010-04-09 VSR advisory released.
Recommendation
- --------------
Upgrade to version x5.1.1 to correct this issue. Temporary mitigation may be
achieved by disabling access for potentially less trusted, non-adminstrative
users.
Common Vulnerabilities and Exposures (CVE) Information
- ------------------------------------------------------
The Common Vulnerabilities and Exposures (CVE) project has assigned
the number CVE-2009-4511 to this issue. This is a candidates for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.
Acknowledgements
- ----------------
Thanks to TANDBERG for the quick initial response and cooperation.
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
References:
1. TANDBERG - Video Communication Server
http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp
2. TANDBERG VCS Firmware Downloads
http://ftp.tandberg.com/pub/software/vcs/
- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Copyright 2009,2010 Virtual Security Research, LLC. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iD8DBQFLv/bkQ1RSUNR+T+gRAuThAKCTilCnuTbLWgK1U/ByAPeY9VWQGwCfZsOO
+uOm1DQpX16KuhclPLBcdfg=
=TQ5s
-----END PGP SIGNATURE-----
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2010 00:00Current
0.7Low risk
Vulners AI Score0.7
EPSS0.01712