Full Disclosure mailing list archives
Re: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read
From: Jakub Palaczynski <jakub.palaczynski () gmail com>
Date: Thu, 14 Dec 2017 22:02:25 +0100
Arbitrary File Read should have CVE-2017-16786 number assigned. 11.12.2017 17:42 "Jakub Palaczynski" <jakub.palaczynski () gmail com> napisaĆ(a): Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Author: Jakub Palaczynski CVE: CVE-2017-16787 Exploit tested on: ================== Meinberg LANTIME Web Configuration Utility 6.16.008 Vulnerability affects: ====================== All LTOS6 firmware releases before 6.24.004 Vulnerability: ************** Arbitrary File Read: ==================== It is possible to read arbitrary file on the system with root permissions Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo= xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file. Contact: ======== Jakub[dot]Palaczynski[at]gmail[dot]com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Jakub Palaczynski (Dec 12)
- Re: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read Jakub Palaczynski (Dec 15)