Services News & Resources Company
Advisories Publications Events Tools

TANDBERG VCS
Arbitrary File Retrieval

Release Date 2010-04-09
Product Video Communication Server (VCS)
Versions x4.3.0, x4.2.1, and possibly earlier
Severity Medium
Discovered by Jon Hart
Advisory by Timothy D. Morgan <tmorgan (at) vsecurity.com>
Vendor Status Firmware version x5.1.1 released
CVE Candidate CVE-2009-4511
Reference Original Advisory

Product Description

From [1]:

"The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution and is the center of the video communications network, connecting the benefits of video conferencing and telepresence to other communications environments including unified communications and IP Telephony networks."

Vulnerability Overview

On December 3rd, VSR identified a directory traversal and file retrieval vulnerability in the TANDBERG's Video Communication Server. This issue would allow an authenticated attacker (who has access as an administrator or less privileged user on the web administration interface) to retrieve files from the filesystem which are readable by the "nobody" system user.

Product Background

The TANDBERG Video Communication Server is a Linux-based appliance which supports the interoperation of a plethora of video and voice communications devices. The VCS provides a web-based management interface implemented in PHP which allows administrators to perform a wide variety of actions, including configuration of the device, management of user accounts, firmware updates, along with number of other items.

Vulnerability Details

The TANDBERG VCS web management interface provides two nearly identical scripts at URLs:
https://vulnerable.example.com/helppage.php https://vulnerable.example.com/user/helppage.php

These help pages accept a "file" parameter in the URL which can be used to retrieve nearly arbitrary files from the filesystem. The relevant source code for these pages is as follows: 

// The following is Copyright (C) 2009 TANDBERG //
...
// Grab the content before we write anything: we'll need it for the title tag in the <head>
// Dig out the page title, from the <title> tag, 
// then remove any surround in the page as we add our own... 
$filename = $this->helpPagePath . $_GET['page'] . $this->helpPageSuffix;
       
if (! file_exists($filename)) {
  $helpHTML = "There is no help available for the ". $_GET['page'] . " page<br/>";
  $pageTitle = $_GET['page'];
}else{
  $helpHTML = file_get_contents($filename);

...

  echo "\n<!-- ********** -->\n";
  echo $helpHTML;
  echo "<!-- ********** -->\n";
...
// end of excerpt //

Here, the final path string ($filename) loaded and displayed to the user is prepended with a directory and appended with a file extension. Using simple directory traversal techniques ("../") it is possible to traverse to any directory on the filesystem. Using a trailing NUL byte encoded in the URL (%00) it is also possible to truncate the file path to eliminate the file extension.

For instance, the following URL retrieves the /etc/passwd file: 

  https://vulnerable.example.com/helppage.php?page=../../../../etc/passwd%00

During testing, it was found that the x4.2.1 firmware runs the web server as the "nobody" user, which somewhat limits the amount of sensitive information that may be obtained. However, since shadowed passwords were not configured, it was possible to retrieve all local system users' password hashes from /etc/passwd. Additional password hashes are available in: 

/tandberg/persistent/etc/digest
.

Versions Affected

VSR has successfully exploited this issue in firmware version x4.2.1. Based on preliminary source code analysis, versions x4.3.0 and x5.0 also appear to be vulnerable. Earlier versions have not been tested.

Vendor Response

The following timeline details TANDBERG's response to the reported issue:

2009-12-09 Preliminary notice to TANDBERG. TANDBERG responded immediately.
2009-12-22 VSR provided TANDBERG a draft advisory.
2009-12-28 TANDBERG provided VSR with a beta version of the x5.0 firmware, but this did not appear to correct the issue (based on PHP code analysis alone).
2010-01-22 TANDBERG provided VSR with a beta version of the x5.1 firmware for testing which appeared to correct the vulnerability.
2010-03-26 TANDBERG provided VSR with a release candidate firmware for version x5.1.1.
2010-04-07 TANDBERG VCS firmware version x5.1.1 released.
2010-04-09 VSR advisory released.

Recommendation

Upgrade to version x5.1.1 to correct this issue. Temporary mitigation may be achieved by disabling access for potentially less trusted, non-adminstrative users.

Common Vulnerabilities and Exposures (CVE) Information

The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2009-4511 to this issue. This is a candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.

Acknowledgements

Thanks to TANDBERG for the quick initial response and cooperation.

References

1. TANDBERG - Video Communication Server
http://www.tandberg.com/video-conferencing-network-infrastructure/video-communication-server.jsp
2. TANDBERG VCS Firmware Downloads
http://ftp.tandberg.com/pub/software/vcs/
Copyright © 2009,2010 Virtual Security Research, LLC. All rights reserved.

2013-06-19
IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to POA

2012-10-23
Timothy D. Morgan presents No Crack Required: Cryptanalysis in Real-World Applications at OWASP AppSecUSA 2012.

2012-07-29
Michael Coppola presents Owning the Network: Adventures in Router Rootkits at DEF CON 20 [slides].

2012-04-20
HTC IQRD Android Permission Leakage

more...

Contact us by phone,
fax or e-mail:

Phone: 617.933.8919
Fax: 617.933.8920
Email: inquiry@vsecurity.com

Copyright © 2008-2012 Virtual Security Research, LLC. All rights reserved.