Wednesday, February 12, 2020

[EVERTZ] - Path Transversal && Arbitrary File Upload = SHELL





The 3080IPX is an integrated multicast label switching fabric that unlocks the advantage of 10GE and 1GE signaling without sacrifi cing fl exibility and ease control necessary for video LAN/WAN transport applications.

The 7801FC VistaLINK® Frame Controller card provides a single point of access to communicate with VistaLINK®-capable modules. The 7801FC VistaLINK® Frame Controller provides a 10Base-T/100Base-TX/1000 Base-TX Ethernet port, and communication is facilitated through the use of Simple Network Management Protocol (SNMP).
-------------------------------------------------------------------------------------------------------------------------

EVERTZ devices are vulnerable to Transversal Path and arbitrary file upload, allowing an auhtenticated attacker to read any file from the affected system, as well as upload a webshell or overwrite any system files

Affected devices:

It is likely that more devices are affected, because although not all contain a menu or call within the webgui that takes them to the affected function, all devices contain the vulnerable function and can also be called directly if the affected parameter is known

• 3080IPX - exe-guest-v1.2-r26125
• 7801FC - 1.3 Build 27
• 7890IXG - V494


Affected parameter: "filename"
Affected functions:

  • feature-transfer-download.php
  • feature-transfer-upload.php













Path Transversal:

The application allows through the feature-transfer-download.php function to download any system file














All the devices that were tested were vulnerable. The EVERTZ devices I tested have the same functions although they are not necessarily called from the menu of each device. If the function and the vulnerable parameter are known, it is possible to call the affected function directly on any of the affected devices.


















Arbitrary File Upload:

The application allows through the feature-transfer-upload.php function to overwrite any system file or upload any file to any path within the system, allowing an attacker to upload a webshell or delete critical files from the device


Defining the path in which we want to place the file, we can create new or write others




Webshell























By: @Linuxmonr4





 
biz.