Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

TANDBERG Video Communication Server Arbitrary File Retrieval

09 april 2010

door Robert Wessen

Research Research Technical advisories VSR 
                   Virtual Security Research, LLC.
                      http://www.vsecurity.com/
                         Security Advisory


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval
 Release Date: 2010-04-09
  Application: Video Communication Server (VCS)
     Versions: x4.3.0, x4.2.1, and possibly earlier
     Severity: Medium
Discovered by: Jon Hart
  Advisory by: Timothy D. Morgan 
Vendor Status: Firmware update released [2]
CVE Candidate: CVE-2009-4511
    Reference: http://www.vsecurity.com/resources/advisory/20100409-3/

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


Product Description
-------------------
From [1]:

 "The Video Communication Server (VCS) is an integral part of the TANDBERG 
  Total Solution and is the center of the video communications network, 
  connecting the benefits of video conferencing and telepresence to other 
  communications environments including unified communications and IP Telephony networks."


Vulnerability Overview
----------------------
On December 3rd, VSR identified a directory traversal and file retrieval
vulnerability in the TANDBERG's Video Communication Server.  This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the "nobody" system user.


Product Background
------------------
The TANDBERG Video Communication Server is a Linux-based appliance which
supports the interoperation of a plethora of video and voice communications devices. The VCS provides a web-based management interface implemented in PHP which allows administrators to perform a wide variety of actions, including configuration of the device, management of user accounts, firmware updates, along with number of other items.


Vulnerability Details
---------------------
The TANDBERG VCS web management interface provides two nearly identical scripts at URLs:
  https://vulnerable.example.com/helppage.php
  https://vulnerable.example.com/user/helppage.php

These help pages accept a "file" parameter in the URL which can be used to
retrieve nearly arbitrary files from the filesystem.  The relevant source code for these pages is as follows:

// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag in the 
// Dig out the page title, from the
Robert Wessen

Robert Wessen