Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15777
HistoryJan 21, 2007 - 12:00 a.m.

[Full-disclosure] Flaw in AVM UPNP service for windows

2007-01-2100:00:00
vulners.com
8
JSON
  • Description
    The "AVM IGD CTRL Service", a Universal Plug and Play (UPNP) service for
    windows, which is part of the software package "Fritz!DSL Software
    02.02.29" provides the possibility to read any file on the windows
    system partition for any user - no matter how much restricted rights the
    user has.
    It is even possible to read files from any LAN computer on which this
    service is running and it is possible to read critical system files (SAM
    DB copies, profile files of any user) because the service is running
    under the (locally) most privileged system account.

The mentioned software package is shipped with VOIP routers from the
german company AVM (www.avm.de).

  • Reproduction
    Relative URLs for the AR7 webserver (which is part of the mentioned UPNP
    service) can be used to read files on the system partition. Because
    backslashes can't be directly used in a URL "%5C" has to be used.

Examples for local and remote files of LAN computers:
http://localhost:49001/..%5C..%5C..%5Cwindows%5Csystem.ini
http://192.168.178.20:49001/..%5C..%5C..%5Cwindows%5Csystem.ini

  • Workaround
    Disable the "AVM IGD CTRL Service" under the services control panel.

Regards,

DPR

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON