CVE-2012-4031
published 2012-07-17CVE-2012-4031: Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .…
PriorityP347medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
52.27%
98.8th percentile
Multiple directory traversal vulnerabilities in src/acloglogin.php in Wangkongbao CNS-1000 and 1100 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) lang or (2) langid cookie to port 85.
Detection & IOCsextracted from sources · hover to see the quote
- →Detect directory traversal attempts targeting /src/acloglogin.php on port 85, specifically looking for dot-dot sequences in the 'lang' or 'langid' cookie values. ↗
- →Alert on HTTP requests to port 85 with Cookie headers containing '../' traversal sequences in the 'lang' or 'langid' cookie fields, especially with long '/.' padding sequences (e.g., '/.' repeated 4043 times). ↗
- →The Apache server on the affected device runs as root; successful exploitation may be evidenced by retrieval of /etc/shadow or /etc/passwd contents in HTTP 200 responses on port 85. ↗
- →Presence of the hardcoded PHPSESSID value 'af0402062689e5218a8bdad17d03f559' in a Cookie header on port 85 is a strong indicator of Metasploit-based exploitation of this CVE. ↗
- ·The traversal depth is configurable in the Metasploit module; the default is 11 levels deep ('../../../../../../../../..'), but attackers may vary this value, so detection should use a pattern match rather than a fixed string. ↗
- ·The target file path is also configurable (default /etc/shadow), meaning the traversal cookie payload will vary depending on the attacker's chosen target file. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
WANGKONGBAO CNS-1000 UTM IPS-FW - Directory Traversal (Metasploit)
exploitdb·2012-07-02
CVE-2012-4031 WANGKONGBAO CNS-1000 UTM IPS-FW - Directory Traversal (Metasploit)
WANGKONGBAO CNS-1000 UTM IPS-FW - Directory Traversal (Metasploit)
---
# Exploit Title: WANGKONGBAO CNS-1000 and 1100 Network Security Platform UTM Directory Traversal
# Date: 7/2/2012
# Exploit Author: Dillon Beresford
# Vendor Homepage: http://www.wangkongbao.com/products.html
# Version: CNS-1000 and 1100
The issue is in the /src/acloglogin.php langid and lang parameters stored inside the cookie. Using a URL encoded POST or GET via port 85 input langid or lang will allow an attacker to view any file on the file system or upload arbitrary files to the file system. The webserver is running as root... nuff said.
Enjoy! - D1N
Translated to English
Network control Po for SME hardware products based on dedicated chips and professional network security platform, a new generation of integr
Metasploit
WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
metasploit
WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
WANGKONGBAO CNS-1000 and 1100 UTM Directory Traversal
This module exploits the WANGKONGBAO CNS-1000 and 1100 UTM appliances aka Network Security Platform. This directory traversal vulnerability is interesting because the apache server is running as root, this means we can grab anything we want! For instance, the /etc/shadow and /etc/passwd files for the special kfc:$1$SlSyHd1a$PFZomnVnzaaj3Ei2v1ByC0:15488:0:99999:7::: user
No writeups or analysis indexed.
http://osvdb.org/83636http://secunia.com/advisories/49776http://www.exploit-db.com/exploits/19526http://www.securityfocus.com/bid/54267https://exchange.xforce.ibmcloud.com/vulnerabilities/76682http://osvdb.org/83636http://secunia.com/advisories/49776http://www.exploit-db.com/exploits/19526http://www.securityfocus.com/bid/54267https://exchange.xforce.ibmcloud.com/vulnerabilities/76682
2012-07-17
Published