Sysax has an administrative interface that when enabled, is bound to 127.0.0.1 on port 88. This interface has a buffer overflow vulnerability in the "e2" parameter of the "scriptpathbrowse2.htm" functionality. The exploit I wrote is a local privilege escalation exploit but the vulnerability could be remotely exploitable in the right circumstances. The user would simply have to enable the functionality and bind it to 0.0.0.0
This is the option you need set for the local exploit to work:
The same issue exists for the following other pages:
- force_homepath_browse2.htm
- pathbrowse2.htm
- newaccountbrowse2.htm
Basically any place you can browse for a file or "go up to parent directory" the BoF exists.
Here is a demo of the exploit:
https://vimeo.com/44341842
Exploit:
http://www.exploit-db.com/exploits/19293/
Sysax has fixed this in version 5.64.
No comments:
Post a Comment