Loytec LGATE-902 XSS / Traversal / File Deletion

`INFORMATION  
  
Product: Loytec LGATE-902 (https://www.loytec.com/)  
Affected versions: < 6.4.2 (tested on version 6.3.2)  
CVE IDs: CVE-2018-14919 (Stored and reflected XSS), CVE-2018-14918 (Path  
traversal), and CVE-2018-14916 (Arbitrary file deletion).  
Remote-exploit: yes  
  
TIMELINE  
  
Vendor notification: 26th July, 2018  
Vendor acknowledgment: 1st August, 2018  
Patch available: 13th November, 2018  
Public disclosure: 7th April, 2019  
  
INTRODUCTION  
  
The LGATE-902 Gateway is a powerful gateway that can host user specific  
graphical pages. The gateways provide connectivity functions to concurrently  
integrate CEA-709 (LonMark Systems), BACnet, KNX, Modbus, and M-Bus. Local  
operation and override is provided by the built-in jog dial and the backlit  
display (128x64 pixels). Device and data point information is provided by the  
Web interface and shown on the display via symbols and in text format.  
(Description from: https://www.loytec.com/products/gateways/2259-lgate-902)  
  
The three vulnerabilities described below affect the web application that runs  
in the gateways and that is used to manage them.  
  
VULNERABILITIES DESCRIPTION  
  
The XSS vulnerability (CVE-2018-14919) allows an attacker to inject malicious  
scripts into the trusted web interface running on a vulnerable device. The  
scripts may be executed by the browser of an unsuspecting device administrator  
to access session tokens or other sensitive information, as well as to perform  
malicious actions on behalf of the user (e.g., internal network discovery and  
traffic tunneling using BeEF).  
  
Reflected XSS PoC (show alert dialog):  
http://<device_address>/webui/data/alarm_log_obj?handle=1000%27-alert(1)-%27&page=0  
  
Stored XSS PoC (show alert dialog):  
POST http://<device_address>/webui/config/doc/action save=1&update=1&data=[["test","</script><script>alert(1);</script>",2]]  
  
The path traversal (CVE-2018-14918) and file deletion (CVE-2018-14916)  
vulnerabilities allow an attacker to manipulate path references and access or  
delete files and directories (including critical system files) that are stored  
outside the root folder of the web application running on the device. This can  
be used to read or delete system and configuration files containing, e.g.,  
usernames and passwords.  
  
Path traversal PoC (read /etc/passwd):  
http://<device_address>/webui/file_guest?path=/var/www/documentation/../../../../../etc/passwd&flags=1152  
  
File deletion PoC (delete ../test.txt):  
POST http://<device_address>/webui/config/doc/action  
delete=1&update=1&name=../test.txt  
  
SOLUTION  
  
Update to version 6.4.2  
WARNING - CONFIDENTIAL INFORMATION:  
________________________________  
The information contained in the e-mail may contain confidential and privileged information and is intended solely for the use of the intended recipient(s). Access for any review, re-transmission, dissemination or other use of, or taking of any action in regard and reliance upon this e-mail by persons or entities other than the intended recipient(s) is unauthorized and prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.  
  
  
`