[NT] NeroNET Directory Traversal

• Previous message: SecuriTeam: "[NEWS] Cisco IOS Heap-based Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 6 Nov 2005 14:07:58 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  NeroNET Directory Traversal
------------------------------------------------------------------------

SUMMARY

NeroNET is a web server which allows <http://www.nero.com> Nero users to
use a CD/DVD burner remotely.

A directory traversal vulnerability in NeroNET allows attackers access to
files they are not supposed to access.

DETAILS

Vulnerable Systems:
 * NeroNET version 1.2.0.2 and prior.

The program is affected by a classical directory traversal bug which can
be exploited by anyone since the directories used as base for the attack
(www and status) are publics and do NOT require authorization. Both slash
and backslash and the relative HTTP encoded chars are allowed.

The limitation of this bug is that only some file extensions are allowed:
nri, nrg, zip, dvi, rtf, ppt, pdf, mpe, mpeg, mpg, mov, qt, vob, avi, wav,
mp3, bmp, tiff, tif, jpe, jpeg, jpg, gif, log, txt, sdp, css, js, html,
htm

The check made by NeroNET is only on the beginning of the extension so JSP
or JSWHATYOUWANT are allowed extensions since JS is in the list.

Proof of concept:
http://host/www/..%2f..%5c../..../folder/file.txt

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/neronet-adv.txt>
http://aluigi.altervista.org/adv/neronet-adv.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] Cisco IOS Heap-based Overflow Vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]