lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 Dec 2017 22:02:25 +0100
From: Jakub Palaczynski <jakub.palaczynski@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Meinberg LANTIME Web Configuration Utility - Arbitrary
	File Read

Arbitrary File Read should have
CVE-2017-16786 number assigned.


11.12.2017 17:42 "Jakub Palaczynski" <jakub.palaczynski@...il.com>
napisaƂ(a):

Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read
Author: Jakub Palaczynski
CVE: CVE-2017-16787


Exploit tested on:
==================

Meinberg LANTIME Web Configuration Utility 6.16.008


Vulnerability affects:
======================
All LTOS6 firmware releases before 6.24.004


Vulnerability:
**************

Arbitrary File Read:
====================

It is possible to read arbitrary file on the system with root permissions

Proof of Concept:
First instance:
https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=
xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx
Info-User user is able to read any file on the system with root permissions.

Second instance:
User with Admin-User access is able to read any file on the system via
firmware update functionality. Curl accepts "file" schema which actually
downloads file from the filesystem. Then it is possible to download
/upload/update file which contains content of requested file.

Contact:
========

Jakub[dot]Palaczynski[at]gmail[dot]com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists