Reporter Brandon Perry
`WebTitan 4.01 (build 148) multiple vulnerabilities
WebTitan suffers from many command injection attacks, which is exacerbated by the fact that the “role-based” access is superficial only. An attacker with any credentials to the system can execute remote commands as a variety of local users. An authorized attacker can also take advantage of a directory traversal attack as the ‘www’ user and read arbitrary files. The application seems to only change what it displays to the users based on their roles, but these limited users can still successfully perform any request an “admin” can perform.
Because of these vulnerabilities, in the worst case scenario, a limited-access authorized user can eventually run commands remotely as the root user.
Remote Command Execution as ‘www’ - x3
The ping, traceroute, and dig utilities exposed via the admin interface are susceptible to remote command injection. (Support tab -> Diagnostics)
Remote Command Execution as ‘webtitan’
When saving the domain name of the appliance, an attacker can execute arbitrary commands with bash metacharacters in the domain name. (System setup tab -> Network)
Remote command execution as ‘root’
When saving the hostname, while very limited in space (15 chars), you can execute `whoami` and it will set the hostname to root. (System setup tab -> Network)
If you take advantage of the domain name exploit to achieve a shell as webtitan, but also reboot the server, you will achieve a connect back as root upon reboot. (System setup tab -> Shutdown/Reboot)
Directory traversal as ‘www’
The mechanism that allows an administrator to download the ‘webtitan.log’ file is susceptible to a directory traversal attack, allowing any authenticated attacker to download any file that the ‘www’ user can read. (Logs tab -> Interface)