[NT] NeroNET Directory Traversal

From: SecuriTeam (support_at_securiteam.com)
Date: 11/06/05

  • Next message: SecuriTeam: "[UNIX] Clam AntiVirus Multiple DoS" 
    To: list@securiteam.com
Date: 6 Nov 2005 14:07:58 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      NeroNET Directory Traversal
    ------------------------------------------------------------------------

    SUMMARY

    NeroNET is a web server which allows <http://www.nero.com> Nero users to
    use a CD/DVD burner remotely.

    A directory traversal vulnerability in NeroNET allows attackers access to
    files they are not supposed to access.

    DETAILS

    Vulnerable Systems:
     * NeroNET version 1.2.0.2 and prior.

    The program is affected by a classical directory traversal bug which can
    be exploited by anyone since the directories used as base for the attack
    (www and status) are publics and do NOT require authorization. Both slash
    and backslash and the relative HTTP encoded chars are allowed.

    The limitation of this bug is that only some file extensions are allowed:
    nri, nrg, zip, dvi, rtf, ppt, pdf, mpe, mpeg, mpg, mov, qt, vob, avi, wav,
    mp3, bmp, tiff, tif, jpe, jpeg, jpg, gif, log, txt, sdp, css, js, html,
    htm

    The check made by NeroNET is only on the beginning of the extension so JSP
    or JSWHATYOUWANT are allowed extensions since JS is in the list.

    Proof of concept:
    http://host/www/..%2f..%5c../..../folder/file.txt

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.
    The original article can be found at:
    <http://aluigi.altervista.org/adv/neronet-adv.txt>
    http://aluigi.altervista.org/adv/neronet-adv.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Clam AntiVirus Multiple DoS"

    Relevant Pages