[EVERTZ] - Path Transversal && Arbitrary File Upload = SHELL [CVE-2020-22159 ]
The 3080IPX is an integrated multicast label switching fabric that unlocks the advantage of 10GE and 1GE signaling without sacrifi cing fl exibility and ease control necessary for video LAN/WAN transport applications.
The 7801FC VistaLINK® Frame Controller card provides a single point of access to communicate with VistaLINK®-capable modules. The 7801FC VistaLINK® Frame Controller provides a 10Base-T/100Base-TX/1000 Base-TX Ethernet port, and communication is facilitated through the use of Simple Network Management Protocol (SNMP).
-------------------------------------------------------------------------------------------------------------------------
EVERTZ devices are vulnerable to Transversal Path and arbitrary file upload, allowing an auhtenticated attacker to read any file from the affected system, as well as upload a webshell or overwrite any system files
The 7801FC VistaLINK® Frame Controller card provides a single point of access to communicate with VistaLINK®-capable modules. The 7801FC VistaLINK® Frame Controller provides a 10Base-T/100Base-TX/1000 Base-TX Ethernet port, and communication is facilitated through the use of Simple Network Management Protocol (SNMP).
-------------------------------------------------------------------------------------------------------------------------
EVERTZ devices are vulnerable to Transversal Path and arbitrary file upload, allowing an auhtenticated attacker to read any file from the affected system, as well as upload a webshell or overwrite any system files
Affected devices:
It is likely that more devices are affected, because although not all contain a menu or call within the webgui that takes them to the affected function, all devices contain the vulnerable function and can also be called directly if the affected parameter is known
• 3080IPX - exe-guest-v1.2-r26125
• 7801FC - 1.3 Build 27
• 7890IXG - V494
Affected parameter: "filename"
Affected functions:
Path Transversal:
The application allows through the feature-transfer-download.php function to download any system file
Affected functions:
- feature-transfer-download.php
- feature-transfer-upload.php
Path Transversal:
The application allows through the feature-transfer-download.php function to download any system file
All the devices that were tested were vulnerable. The EVERTZ devices I tested have the same functions although they are not necessarily called from the menu of each device. If the function and the vulnerable parameter are known, it is possible to call the affected function directly on any of the affected devices.
Arbitrary File Upload:
The application allows through the feature-transfer-upload.php function to overwrite any system file or upload any file to any path within the system, allowing an attacker to upload a webshell or delete critical files from the device
Defining the path in which we want to place the file, we can create new or write others
Webshell
By: @Linuxmonr4 [CVE-2020-22159 ]
Comentarios
Publicar un comentario