← Advisories

VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal

High
Advisory ID
ZSL-2018-5454
Release Date
31 March 2018
Vendor
VideoFlow Ltd. - http://www.video-flow.com
Affected Version
2.10 (X-Prototype-Version: 1.6.0.2), System = Indicate if the DVP is configured as Protector, Sentinel or Fortress, Version = The Operating System SW version number, Image version = Production Image version, System: DVP Protector, Version: 1.40.0.15(R) May 5 2015 05:27:05, Image version: 3.07i, System: DVP Protector, Version: 1.40.0.15(R) May 5 2015 05:27:05, Image version: 2.08, System: DVP Fortress, Version: 2.10.0.5(R) Jan 7 2018 03:26:35, Image version: 3.07
CVE
CVE-2019-25256
Tested On
CentOS release 5.6 (Final) (2.6.18-238.12.1.el5), CentOS release 5.10 (Final) (2.6.18-371.el5), ConfD
Summary

VideoFlow's Digital Video Protection (DVP) product is used by leading companies worldwide to boost the reliability of IP networks, including the public Internet, for professional live broadcast. DVP enables broadcast companies to confidently contribute and distribute live video over IP with unprecedented levels of service continuity, at a fraction of the cost of leased lines or satellite links. It accelerates ROI by reducing operational costs and enabling new revenue streams across a wide variety of markets.

Description

The application suffers from an authenticated arbitrary file disclosure vulnerability including no session expiration. Input passed via the 'ID' parameter in several Perl scripts is not properly verified before being used to download system files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

/dvp100/confd/docroot/cgi-bin/downloadsys.pl: --------------------------------------------- 1 #!/usr/bin/perl -wT 2 # http://www.sitepoint.com/file-download-script-perl/ 3 4 use strict; 5 use CGI; 6 use CGI::Carp qw ( fatalsToBrowser ); 7 my $files_location; 8 my $query = CGI->new; 9 my $ID = $query->param('ID'); 10 my @fileholder; 11 12 $files_location = "/dvp100/confd/docroot/cgi-bin/"; 13 #$ID = "syslog.tar.gz"; #param('ID'); 14 15 if ($ID eq '') { 16 17 } else { 18 open(DLFILE, "<$files_location/$ID") || Error('open', 'file'); 19 @fileholder = ; 20 close (DLFILE) || Error ('close', 'file'); 21 print "Content-Type:application/x-download\n"; 22 print "Content-Disposition:attachment;filename=$ID\n\n"; 23 print @fileholder; 24 }
Proof of Concept
videoflow_fd.txtTXT
Disclosure Timeline
01.02.2018Vulnerability discovered.
05.03.2018Vendor contacted.
30.03.2018No response from the vendor.
31.03.2018Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://cxsecurity.com/issue/WLB-2018030270
[2]https://www.exploit-db.com/exploits/44386/
[3]https://packetstormsecurity.com/files/147001
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/141102
[5]https://www.cve.org/CVERecord?id=CVE-2019-25256
Changelog
31.03.2018Initial release
01.04.2018Added reference [1]
02.04.2018Added reference [2]
08.04.2018Added reference [3] and [4]
23.03.2026Added reference [5]