{"id":6650,"date":"2017-02-15T14:19:06","date_gmt":"2017-02-15T22:19:06","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/02\/15\/news-469\/"},"modified":"2017-02-15T14:19:06","modified_gmt":"2017-02-15T22:19:06","slug":"news-469","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/02\/15\/news-469\/","title":{"rendered":"SSD Advisory \u2013 Tripwire IP360 Local File Inclusion"},"content":{"rendered":"<p><strong>Credit to Author: Maor Schwartz| Date: Wed, 15 Feb 2017 07:16:18 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Vulnerabilities Summary<\/strong><br \/> The following advisory describes a Local File Inclusion (LFI) vulnerability found in Tripwire IP360 version 7.2.6. Tripwire IP360 is a enterprise-class vulnerability and risk assessment, it&#8217;s provides visibility into the enterprise network, including all networked devices and their associated operating systems and application.<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher Mohammed Shameem has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> Tripwire has stated 7.2.6 which was vulnerable has reached end of life. No other version of Tripwire is affected by this LFI vulnerability. Tripwire customers still using version 7.2.6 should upgrade to version 7.5 or newer which is supported.<\/p>\n<p><span id=\"more-3010\"><\/span><\/p>\n<p><strong>Vulnerabilities Details<\/strong><br \/> Tripwire IP360 version 7.2.6 suffers from Local File Inclusion vulnerability.<\/p>\n<p>While browsing the &#8220;<em>Help<\/em>&#8221; section of the product, it&#8217;s pops up the following window:<\/p>\n<p><a href=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/02\/Tripwire-IP360.jpg\" data-slb-active=\"1\" data-slb-asset=\"1476601879\" data-slb-internal=\"0\" data-slb-group=\"3010\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/02\/Tripwire-IP360-300x87.jpg\" alt=\"\" width=\"300\" height=\"87\" class=\"alignnone size-medium wp-image-3014\" srcset=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/02\/Tripwire-IP360-300x87.jpg 300w, https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/02\/Tripwire-IP360.jpg 620w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>The highlighted section in the image is fetched with URL:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58a4d3d8b4688199224991\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> https:\/\/&lt;ip&gt;\/\/index.ice?class=new_help&amp;do=get_resource&amp;url=ip360_administration_guide_v7_x_kwindex.htm<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0004 seconds] -->  <\/p>\n<p>Parameter \u201c<em>url<\/em>\u201d is vulnerable to LFI.<\/p>\n<p>Parameter \u201c<em>class<\/em>\u201d is a php page located at \u201c<em>\/hive\/ui\/IP360\/private\/states<\/em>\u201d. <\/p>\n<p>The vulnerable code can be found in the \u201c<em>url<\/em>\u201d parameter handling:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-58a4d3d8b4697639770196\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> \u201c\/\/loads in a resource as requested    \tfunction do_get_resource() {    \t\t$url_param = fwRequest::get(&#8216;url&#8217;);    \t\t$url = &#8216;docs\/admin\/&#8217; . $url_param;    \t\t$resource = file_get_contents($url, true);    \/\/image files need to have header info specifying MIME type    \tif($this-&gt;ends_with($url, &#8220;.gif&#8221;)) {    \t\theader(&#8216;content-type: image\/gif&#8217;);    \t\techo $resource;    \t}    \telse if($this-&gt;ends_with($url, &#8220;.png&#8221;)) {    \t\theader(&#8216;content-type: image\/png&#8217;);    \t\techo $resource;    \t}    \telse if($this-&gt;ends_with($url, &#8220;.jpg&#8221;)) {    \t\theader(&#8216;content-type: image\/jpeg&#8217;);    \t\techo $resource;    \t}    \t\/\/don&#8217;t touch the JQuery file &#8212; causes problems if converted    \telse if($this-&gt;ends_with($url, &#8220;jquery-1.4.2.min.js&#8221;)) {    \t\tprint $resource;    \t}    \telse if($this-&gt;ends_with($url, &#8220;jquery.js&#8221;)) {    \t\tprint $resource;    \t}    \t\/\/slightly different logic for this file    \telse if($this-&gt;ends_with($url, &#8220;nsh.js&#8221;)) {    \t\t$nsh_converted_resource = $this-&gt;convert_links_nsh($resource);    \t\tprint $nsh_converted_resource;    \t}    \/\/convert all links    \telse {    \t\tif($url_param == &#8216;helpman_navigation.js&#8217;) {    \t\t\t$helpman_navigation_resource = $this-&gt;convert_links($resource, true, false);    \t\t\t$converted_resource = $this-&gt;add_helpman_nav_code($helpman_navigation_resource);\u201d<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-58a4d3d8b4697639770196-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-58a4d3d8b4697639770196-69\">69<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-1\">\u201c<span class=\"crayon-c\">\/\/loads in a resource as requested<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-3\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">do_get_resource<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-5\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url_param<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">fwRequest<\/span><span class=\"crayon-o\">::<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;url&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-6\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-7\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;docs\/admin\/&#8217;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url_param<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-9\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">file_get_contents<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-10\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-11\"><span class=\"crayon-c\">\/\/image files need to have header info specifying MIME type<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-12\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-13\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">ends_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.gif&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-14\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-15\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;content-type: image\/gif&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-17\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-19\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-21\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">ends_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.png&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-23\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;content-type: image\/png&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-24\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-25\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-26\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-27\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-28\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-29\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">ends_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;.jpg&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-30\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-31\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-e\">header<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;content-type: image\/jpeg&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-33\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">echo<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-34\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-35\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-36\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-37\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/don&#8217;t touch the JQuery file &#8212; causes problems if converted<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-38\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-39\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">ends_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;jquery-1.4.2.min.js&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-40\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-41\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-42\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-43\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-44\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-45\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">ends_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;jquery.js&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-46\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-47\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-48\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-49\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-50\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-51\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-c\">\/\/slightly different logic for this file<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-53\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">ends_with<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;nsh.js&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-54\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-55\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">nsh_converted_resource<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">convert_links_nsh<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-56\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-57\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">nsh_converted_resource<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-58\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-59\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-60\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-61\"><span class=\"crayon-c\">\/\/convert all links<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-62\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-63\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-64\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-65\"><span class=\"crayon-h\">\t\t<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">url_param<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;helpman_navigation.js&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-66\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-67\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">helpman_navigation_resource<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">convert_links<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">resource<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">true<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">false<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-58a4d3d8b4697639770196-68\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-58a4d3d8b4697639770196-69\"><span class=\"crayon-h\">\t\t\t<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">converted_resource<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-r\">this<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-e\">add_helpman_nav_code<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">$<\/span><span class=\"crayon-v\">helpman_navigation_resource<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span>\u201d<\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0063 seconds] -->  <\/p>\n<p><em>file_get_contents<\/em> is the vulnerable code which reads entire file into string and echoed back using \u201c<em>$resource<\/em>\u201d without proper handling.<\/p>\n<p><strong>Proof of Concept<\/strong><\/p>\n<ol>\n<li>Setup Proxy and Login to the web interface of the Tripwire IP360 scanner<\/li>\n<li>Click on the Help link on top right corner<\/li>\n<li>Intercept the request with above given parameter<\/li>\n<li>Manipulate the \u201c<em>url<\/em>\u201d parameter value to  \u201c<em>..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/em>\u201d and observe the server response.<\/li>\n<\/ol>\n<p>An attacker might carry out one or more of the following attacks:<\/p>\n<ul>\n<li>Gather usernames via an &#8220;<em>\/etc\/passwd<\/em>&#8221; file<\/li>\n<li>Get useful information from the log files, such as &#8220;<em>\/apache\/logs\/error.log<\/em>&#8221; or &#8220;<em>\/apache\/logs\/access.log<\/em>&#8220;<\/li>\n<li>Gather db Username and passwords<\/li>\n<li>Look at the web source code and possible find more vulnerability.<\/li>\n<\/ul><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3010\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/blogs.securiteam.com\/wp-content\/uploads\/2017\/02\/Tripwire-IP360-300x87.jpg\"\/><\/p>\n<p><strong>Credit to Author: Maor Schwartz| Date: Wed, 15 Feb 2017 07:16:18 +0000<\/strong><\/p>\n<p>Vulnerabilities Summary The following advisory describes a Local File Inclusion (LFI) vulnerability found in Tripwire IP360 version 7.2.6. Tripwire IP360 is a enterprise-class vulnerability and risk assessment, it&#8217;s provides visibility into the enterprise network, including all networked devices and their associated operating systems and application. Credit An independent security researcher Mohammed Shameem has reported this &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3010\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory \u2013 Tripwire IP360 Local File Inclusion<\/span> <span class=\"meta-nav\">&#8594;<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10755],"class_list":["post-6650","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-commentary"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6650","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6650"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6650\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6650"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6650"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6650"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}