Vulnerable Systems:
* Video Communication Server (VCS) version x4.2.1
* Video Communication Server (VCS) version x4.3.0
Immune Systems:
* Video Communication Server (VCS) version x5.1.1
This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the "nobody" system user.
The TANDBERG VCS web management interface provides two nearly identical scripts at URLs:
https://vulnerable.example.com/helppage.php
https://vulnerable.example.com/user/helppage.php
These help pages accept a "file" parameter in the URL which can be used to retrieve nearly arbitrary files from the filesystem. The relevant source code for these pages is as follows:
// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag in the <head>
// Dig out the page title, from the <title> tag,
// then remove any surround in the page as we add our own...
$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix;
*
* if (! file_exists($filename)) {
* $helpHTML = "There is no help available for the ". $_GET['page'] . " page ";
* $pageTitle = $_GET['page'];
* }else{
* $helpHTML = file_get_contents($filename);
*
* ...
*
* echo "\n\n";
* echo $helpHTML;
* echo "\n";
* ...
* // end of excerpt //
Here, the final path string ($filename) loaded and displayed to the user is prepended with a directory and appended with a file extension. Using simple directory traversal techniques ("../") it is possible to traverse to any directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00) it is also possible to truncate the file path to eliminate the file extension.
For instance, the following URL retrieves the /etc/passwd file:
During testing, it was found that the x4.2.1 firmware runs the web server as the "nobody" user, which somewhat limits the amount of sensitive information that may be obtained. However, since shadowed passwords were not configured, it was possible to retrieve all local system users' password hashes from /etc/passwd. Additional password hashes are available in /tandberg/persistent/etc/digest.
Workaround:
Temporary mitigation may be achieved by disabling access for potentially less trusted, non-adminstrative users.
