Attacker Value
Moderate
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Nuuo Central Management Server Authenticated Arbitrary File Download

Disclosure Date: November 27, 2018 Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Nuuo Central Management Server allows authenticated users to download files. A directory traversal flaw in the FileType header allows the user to specify a file outside of the intended directories to download.

Add Assessment

0
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

Details

Details from module documentation in Metasploit.

The GETCONFIG verb is used by a CMS client to obtain configuration files and other resources from the CMS server. An example request is below:

GETCONFIG NUCM/1.0
FileName: <filename>
FileType: <number>
User-Session-No: <session-number>

The FileType determines the directory where the file will be downloaded from. “FileType: 0” will download from the base installation directory (CMS_DIR), while “FileType: 1” will download from “<CMS_DIR>\Images\Map\”. There are other defined FileType integers, but these have not been investigated in detail.

The vulnerability is in the “FileName” parameter, which accepts directory traversal (..\..\) characters. Therefore, this function can be abused to obtain any files off the file system, including:

  • CMServer.cfg, a file zipped with the password “NUCMS2007!” that contains the usernames and passwords of all the system users (enabling a less privileged user to obtain the administrator’s password)
  • ServerConfig.cfg, another file zipped with the password “NUCMS2007!” that contains the SQL Server “sa” password as well the FTP server username and password
  • Any other sensitive files in the drive where CMS Server is installed.

This module works in the following way:

  • if a SESSION number is present, uses that to login
  • if not, tries to authenticate with USERNAME and PASSWORD

Due to the lack of ZIP encryption support in Metasploit, the module prints a warning indicating that the archive cannot be unzipped in Msf.

Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Pedro Ribeiro <pedrib@gmail.com>
PoC Author
Pedro Ribeiro <pedrib@gmail.com>
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis