#######################################################################

                             Luigi Auriemma

Application:  NeroNET
              http://www.nero.com
Versions:     <= 1.2.0.2
Platforms:    Windows
Bug:          limited directory traversal
Exploitation: remote
Date:         02 Nov 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


NeroNET is a web server which allows Nero users to use a CD/DVD burner
remotely.


#######################################################################

======
2) Bug
======


The program is affected by a classical directory traversal bug which
can be exploited by anyone since the directories used as base for the
attack (www and status) are publics and do NOT require authorization.
Both slash and backslash and the relative HTTP encoded chars are
allowed.
The limitation of this bug is that only some file extensions are
allowed:

  nri, nrg, zip, dvi, rtf, ppt, pdf, mpe, mpeg, mpg, mov, qt, vob, avi,
  wav, mp3, bmp, tiff, tif, jpe, jpeg, jpg, gif, log, txt, sdp, css,
  js, html, htm

The check made by NeroNET is only on the beginning of the extension so
JSP or JSWHATYOUWANT are allowed extensions since JS is in the list.


#######################################################################

===========
3) The Code
===========


  http://host/www/..%2f..%5c../..../folder/file.txt


#######################################################################

======
4) Fix
======


No fix.
No reply from the vendor.


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org