Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-40969: TALOS-2022-1607 || Cisco Talos Intelligence Group

An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CVE
#vulnerability#web#cisco#intel#auth#ssh

SUMMARY

An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

void delfile.cgi(void)

{
  [...]

  [... calculate the value of the base_folder variable ...]
  _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
  filename_ = "";
  if (_filename_param != (char *)0x0) {
    filename_ = _filename_param;
  }
  if (*filename_ != '\0') {
    sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
    system(command_buff);                                                                                       [3]
  }
  [...]
}

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and then used at [2] for composing the command rm -rf <base_folder>/<_filename>. The composed string is then used at [3] as argument of the system function. The _filename is not sanitized and will be used in the system function, which can lead to an OS command injection.

Exploit Proof of Concept

Sending a request like the following:

POST /delfile.cgi HTTP/1.1
Authorization: Basic <a valid basic auth value>
Content-Length: 48

_filename=`reboot`f&_http_id=<the correct tid>

will cause the device to reboot.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907