COMMAND

    Snapstream PVS

SYSTEMS AFFECTED

    Snapstream PVS

PROBLEM

    Following  is  based  on   a  Interrorem  security   announcement.
    Snapstream PVS is a Personal Video System for Windows Systems.  It
    allows users to schedule recordings  on their PC and to  view them
    later at the  leisure, at their  local machine or  across a TCP/IP
    network via an HTTP interface.

    Typically, the Snapstream HTTP interface runs on TCP port 8129.

    Issue 1: Directory traversal bug
    ================================
    It is  possible to  navigate outside  of the  HTTP base directory,
    and download  any file  from the  host for  which the  filename is
    known.  The HTTP server runs in the context of the logged in user.
    Examples:

        http://home.victim.com:8080/../../../../autoexec.bat
        http://home.victim.com:8080/../../../winnt/repair/sam

    Any files on the target system are available to an attacker.

    Issue 2: SSD.ini
    ================
    SSD.ini, which contains a great deal of information regarding  the
    target system can be retrieved remotely using the method  detailed
    above.  Example:

        http://home.victim.com:8080/../ssd.ini

    Information  included  in  the  ini  file  includes base directory
    location, usernames, and passwords.

    Issue 3: Passwords are stored as plaintext in SSD.INI
    =====================================================
    Passwords to the SnapStream PVS software are recoverable  remotely
    using the method detailed in Issue 2.

SOLUTION

    Nothing yet.