Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2022-29932 - Primeur Spazio MFT - Information Disclosure (Memory Leak)

Description

The HTTP Server in PRIMEUR SPAZIO 2.5.1.954 (Managed File Transfer) allows a remote unauthenticated attacker to obtain sensitive data (related to the content of transferred files) via a crafted HTTP request.

Vendor has acknowledged the vulnerability and promptly notified all impacted customers and provided a patch.

Affected Product Code Base

Primeur Spazio - 2.5.1.954.

Other versions may also be affected.

Attack Vectors

In order to exploit the vulnerability, an unauthenticated attacker should send crafted HTTP Request

Discovered by

Andrea Mattiazzo, Alessandro Cudini, Antonio Montesano, Emanuele Chiossi, Giovanni Battista Colonna

Reference

https://www.primeur.com/managed-file-transfer

Proof-of-Concept (POC)

Navigating the website without any kind of credentials and executing fuzzing on the root directory, it has been observed that some web resources were built at real-time.

1

After an in-depth analysis it was observed those resources (i.e. folders) are strictly related to already existent data directories (i.e. subfolders of root web folder) on the web server.

2

Creating a crafted HTTP request pointing to these data directories cutting the trailing "/" character, the web server answers with an unmanaged memory leak in HTTP response. As an example we created two folders on the webserver called "assets" and "pippo" in order to reproduce the unsecure behaviour obtaining the memory leak.

3

4

By downloading or navigating the resource containing the memory leak, it has been possible to gain access to the exfiltrated buffer of memory which contained the content of files exchanged by authorized users who are using the File Transfer solution, hence leading to an information disclosure.

5

Since folders name is usually easy-enumerable by any fuzzer, and some folders have standard naming (errors, templates, images), the bug can be easily exploited.