####################################################################### Luigi Auriemma Application: NeroNET http://www.nero.com Versions: <= 1.2.0.2 Platforms: Windows Bug: limited directory traversal Exploitation: remote Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== NeroNET is a web server which allows Nero users to use a CD/DVD burner remotely. ####################################################################### ====== 2) Bug ====== The program is affected by a classical directory traversal bug which can be exploited by anyone since the directories used as base for the attack (www and status) are publics and do NOT require authorization. Both slash and backslash and the relative HTTP encoded chars are allowed. The limitation of this bug is that only some file extensions are allowed: nri, nrg, zip, dvi, rtf, ppt, pdf, mpe, mpeg, mpg, mov, qt, vob, avi, wav, mp3, bmp, tiff, tif, jpe, jpeg, jpg, gif, log, txt, sdp, css, js, html, htm The check made by NeroNET is only on the beginning of the extension so JSP or JSWHATYOUWANT are allowed extensions since JS is in the list. ####################################################################### =========== 3) The Code =========== http://host/www/..%2f..%5c../..../folder/file.txt ####################################################################### ====== 4) Fix ====== No fix. No reply from the vendor. #######################################################################