Zero Science Lab » VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal

VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal

Title: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal
Advisory ID: ZSL-2018-5454
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 31.03.2018

Summary

VideoFlow's Digital Video Protection (DVP) product is used by leading companies worldwide to boost the reliability of IP networks, including the public Internet, for professional live broadcast. DVP enables broadcast companies to confidently contribute and distribute live video over IP with unprecedented levels of service continuity, at a fraction of the cost of leased lines or satellite links. It accelerates ROI by reducing operational costs and enabling new revenue streams across a wide variety of markets.

Description

The application suffers from an authenticated arbitrary file disclosure vulnerability including no session expiration. Input passed via the 'ID' parameter in several Perl scripts is not properly verified before being used to download system files. This can be exploited to disclose the contents of arbitrary files via directory traversal attacks.

--------------------------------------------------------------------------------


/dvp100/confd/docroot/cgi-bin/downloadsys.pl:

---------------------------------------------



     1    #!/usr/bin/perl -wT

     2    # http://www.sitepoint.com/file-download-script-perl/

     3    

     4    use strict;

     5    use CGI;

     6    use CGI::Carp qw ( fatalsToBrowser );

     7    my $files_location;

     8    my $query = CGI->new;

     9    my $ID = $query->param('ID');

    10    my @fileholder;

    11    

    12    $files_location = "/dvp100/confd/docroot/cgi-bin/";

    13    #$ID = "syslog.tar.gz"; #param('ID');

    14    

    15    if ($ID eq '') {

    16        

    17    } else {

    18        open(DLFILE, "<$files_location/$ID") || Error('open', 'file');

    19        @fileholder = ;

    20        close (DLFILE) || Error ('close', 'file');

    21        print "Content-Type:application/x-download\n";

    22        print "Content-Disposition:attachment;filename=$ID\n\n";

    23        print @fileholder;

    24    }

--------------------------------------------------------------------------------

Vendor

VideoFlow Ltd. - http://www.video-flow.com

Affected Version

2.10 (X-Prototype-Version: 1.6.0.2)

System = Indicate if the DVP is configured as Protector, Sentinel or Fortress
Version = The Operating System SW version number
Image version = Production Image version

System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 3.07i

System: DVP Protector
Version: 1.40.0.15(R) May 5 2015 05:27:05
Image version: 2.08

System: DVP Fortress
Version: 2.10.0.5(R) Jan 7 2018 03:26:35
Image version: 3.07

Tested On

CentOS release 5.6 (Final) (2.6.18-238.12.1.el5)
CentOS release 5.10 (Final) (2.6.18-371.el5)
ConfD

Vendor Status

[01.02.2018] Vulnerability discovered.
[05.03.2018] Vendor contacted.
[30.03.2018] No response from the vendor.
[31.03.2018] Public security advisory released.

PoC

videoflow_fd.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://cxsecurity.com/issue/WLB-2018030270
[2] https://www.exploit-db.com/exploits/44386/
[3] https://packetstormsecurity.com/files/147001
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/141102

Changelog

[31.03.2018] - Initial release
[01.04.2018] - Added reference [1]
[02.04.2018] - Added reference [2]
[08.04.2018] - Added reference [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk