Talos IntelligenceTALOS-2021-1322Lantronix PremierWave 2050 Web Manager Applications and FsBrowse local file inclusion vulnerability
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
29.5%
Summary
A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted series of HTTP requests can lead to local file inclusion. An attacker can make a series of authenticated HTTP requests to trigger this vulnerability.
Tested Versions
Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU)
Product URLs
<https://www.lantronix.com/products/premierwave2050/>
CVSSv3 Score
4.9 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
CWE
CWE-668 - Exposure of Resource to Wrong Sphere
Details
PremierWave 2050 is an embedded Wi-Fi Module manufactured by Lantronix.
The PremierWave 2050 provides its users the ability to upload and execute arbitrary python scripts. This functionality is accessible via the Administration > Applications interface of the Web Manager site. The device executes these scripts as a low-privilege user named default. Permissions are appropriately reduced via setuid and setgid before executing the script.
Executing the following python script will fail, as expected, due to a permission error.
print(open('/etc/shadow', 'r').read())
However, an authorization mismatch exists between the privileges used when executing python applications and the privileges used when browsing the file system via the Filesystem > Browse page. The Web Manager application does not drop privileges when interacting with the file system on behalf of the user.
Instead, an authenticated and authorized attacker can successfully execute the following python script.
import os
os.system('ln -s /etc/shadow ./shadow')
Subsequently navigating to the Filesystem > Browse page will allow the authenticated attacker to access the symlinked file with root privileges and disclose the contents of /etc/shadow or any arbitrary file.
Timeline
2021-06-14 - Vendor Disclosure
2021-06-15 - Vendor acknowledged
2021-09-01 - Talos granted disclosure extension to 2021-10-15
2021-10-18 - Vendor requested release push to 2nd week of November. Talos confirmed final extension and disclosure date
2021-11-15 - Public Release
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:C/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
29.5%