The Visionsoft Audit on Demand Service (VSAOD) in Visionsoft Audit 12.4.0.0 does not require authentication for (1) the LOG. command, which allows remote attackers to create or overwrite arbitrary files; (2) the SETTINGSFILE command, which allows remote attackers to overwrite the ini file, and reconfigure VSAOD or cause a denial of service; or (3) the UNINSTALL command, which allows remote attackers to cause a denial of service (daemon shutdown). NOTE: vector 1 can be leveraged for code execution by writing to a Startup folder.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Audit | Visionsoft | 12.4.0.0 (including) | 12.4.0.0 (including) |
References
- http://osvdb.org/42462
- http://www.portcullis.co.uk/uplds/advisories/vafileover-06-039.txt
- http://www.portcullis.co.uk/uplds/advisories/vainifileoverwrite%20-%2006_041.txt
- http://www.portcullis.co.uk/uplds/advisories/vauninstall%2006_045.txt
- http://www.securityfocus.com/bid/25153
- http://osvdb.org/42462
- http://www.portcullis.co.uk/uplds/advisories/vafileover-06-039.txt
- http://www.portcullis.co.uk/uplds/advisories/vainifileoverwrite%20-%2006_041.txt
- http://www.portcullis.co.uk/uplds/advisories/vauninstall%2006_045.txt
- http://www.securityfocus.com/bid/25153