VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal
Title: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal
Advisory ID: ZSL-2018-5454
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 31.03.2018
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
Version = The Operating System SW version number
Image version = Production Image version
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 3.07i
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 2.08
System: DVP Fortress
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
Image version: 3.07
CentOS release 5.10 (Final) (2.6.18-371.el5)
ConfD
[05.03.2018] Vendor contacted.
[30.03.2018] No response from the vendor.
[31.03.2018] Public security advisory released.
[2] https://www.exploit-db.com/exploits/44386/
[3] https://packetstormsecurity.com/files/147001
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/141102
[01.04.2018] - Added reference [1]
[02.04.2018] - Added reference [2]
[08.04.2018] - Added reference [3] and [4]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2018-5454
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 31.03.2018
Summary
VideoFlow's Digital Video Protection (DVP) product is used by leading companies worldwide to boost the reliability of IP networks, including the public Internet, for professional live broadcast. DVP enables broadcast companies to confidently contribute and distribute live video over IP with unprecedented levels of service continuity, at a fraction of the cost of leased lines or satellite links. It accelerates ROI by reducing operational costs and enabling new revenue streams across a wide variety of markets.Description
The application suffers from an authenticated arbitrary file disclosure vulnerability including no session expiration. Input passed via the 'ID' parameter in several Perl scripts is not properly verified before being used to download system files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.--------------------------------------------------------------------------------
/dvp100/confd/docroot/cgi-bin/downloadsys.pl:
---------------------------------------------
1 #!/usr/bin/perl -wT
2 # http://www.sitepoint.com/file-download-script-perl/
3
4 use strict;
5 use CGI;
6 use CGI::Carp qw ( fatalsToBrowser );
7 my $files_location;
8 my $query = CGI->new;
9 my $ID = $query->param('ID');
10 my @fileholder;
11
12 $files_location = "/dvp100/confd/docroot/cgi-bin/";
13 #$ID = "syslog.tar.gz"; #param('ID');
14
15 if ($ID eq '') {
16
17 } else {
18 open(DLFILE, "<$files_location/$ID") || Error('open', 'file');
19 @fileholder = ;
20 close (DLFILE) || Error ('close', 'file');
21 print "Content-Type:application/x-download\n";
22 print "Content-Disposition:attachment;filename=$ID\n\n";
23 print @fileholder;
24 }
--------------------------------------------------------------------------------
Vendor
VideoFlow Ltd. - http://www.video-flow.comAffected Version
2.10 (X-Prototype-Version: 1.6.0.2)System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
Version = The Operating System SW version number
Image version = Production Image version
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 3.07i
System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 2.08
System: DVP Fortress
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
Image version: 3.07
Tested On
CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)CentOS release 5.10 (Final) (2.6.18-371.el5)
ConfD
Vendor Status
[01.02.2018] Vulnerability discovered.[05.03.2018] Vendor contacted.
[30.03.2018] No response from the vendor.
[31.03.2018] Public security advisory released.
PoC
videoflow_fd.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2018030270[2] https://www.exploit-db.com/exploits/44386/
[3] https://packetstormsecurity.com/files/147001
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/141102
Changelog
[31.03.2018] - Initial release[01.04.2018] - Added reference [1]
[02.04.2018] - Added reference [2]
[08.04.2018] - Added reference [3] and [4]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk