Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal
Advisory ID: ZSL-2022-5709
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information
Risk: (4/5)
Release Date: 30.06.2022

Summary

pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems.

Description

The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the ‘file’ GET parameter through the ‘logdownload.cgi’ Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

Vendor

CAREL INDUSTRIES S.p.A. - https://www.carel.com

Affected Version

Firmware: A2.1.0 - B2.1.0
Application Software: 2.15.4A
Software version: v16 13020200

Tested On

GNU/Linux 4.11.12 (armv7l)
thttpd/2.29

Vendor Status

[10.05.2022] Vulnerability discovered.
[27.05.2022] Vendor contacted.
[27.05.2022] Vendor responds creating request ID 00027344. Will come back soon with an answer.
[29.06.2022] No response from the vendor.
[30.06.2022] Public security advisory released.

PoC

carelpco_dir.txt

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

N/A

Changelog

[30.06.2022] - Initial release

Contact

Zero Science Lab

Web: https://www.zeroscience.mk
e-mail: [email protected]