header-logo
Suggest Exploit
vendor:
LANTIME Web Configuration Utility
by:
Jakub Palaczynski
6,5
CVSS
MEDIUM
Arbitrary File Read
22
CWE
Product Name: LANTIME Web Configuration Utility
Affected Version From: All LTOS6 firmware releases before 6.24.004
Affected Version To: 6.16.008
Patch Exists: YES
Related CWE: CVE-2017-16787
CPE: a:meinberg:lantime_web_configuration_utility
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: None
2017

Meinberg LANTIME Web Configuration Utility – Arbitrary File Read

It is possible to read arbitrary file on the system with root permissions. Proof of Concept: First instance: https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx Info-User user is able to read any file on the system with root permissions. Second instance: User with Admin-User access is able to read any file on the system via firmware update functionality. Curl accepts "file" schema which actually downloads file from the filesystem. Then it is possible to download /upload/update file which contains content of requested file.

Mitigation:

Update to the latest version of the Meinberg LANTIME Web Configuration Utility
Source

Exploit-DB raw data:

Title: Meinberg LANTIME Web Configuration Utility - Arbitrary File Read
Author: Jakub Palaczynski
CVE: CVE-2017-16787


Exploit tested on:
==================

Meinberg LANTIME Web Configuration Utility 6.16.008


Vulnerability affects:
======================
All LTOS6 firmware releases before 6.24.004


Vulnerability:
**************

Arbitrary File Read:
====================

It is possible to read arbitrary file on the system with root permissions

Proof of Concept:
First instance:
https://host/cgi-bin/mainv2?value=800&showntpclientipinfo=xxx&ntpclientcounterlogfile=/etc/passwd&lcs=xxx
Info-User user is able to read any file on the system with root permissions.

Second instance:
User with Admin-User access is able to read any file on the system via
firmware update functionality. Curl accepts "file" schema which actually
downloads file from the filesystem. Then it is possible to download
/upload/update file which contains content of requested file.

Contact:
========

Jakub[dot]Palaczynski[at]gmail[dot]com

Navigation

Suggest Exploit

Services By CQR