### Summary

A data removal vulnerability exists in the web_server /action/remove/ API functionality of Robustel R1510 3.3.0. A specially-crafted network request can lead to arbitrary file deletion. An attacker can send a sequence of requests to trigger this vulnerability.

### Tested Versions

Robustel R1510 3.3.0

### Product URLs

R1510 –

### CVSSv3 Score

8.7 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H

### CWE

CWE-20 – Improper Input Validation

### Details

The R1510 is an industrial cellular router. It offers several advanced software like an innovative use of Open VPN, Cloud management, data over-use guard, smart reboot and others.

The R1510 has a web server that manages several APIs. One of these API is `/ajax/remove/`. This function allows to remove files, checking for possible path traversal in the provided input.

Here it is the function that handles the `/ajax/remove/` API:

undefined4 /ajax/remove/(Webs *webs)

{
[…]

[…]
file_name = (char *)websGetVar(webs,”file_name”,0); [1]
if ((file_name != (char *)0x0) &&
(shell_command = strstr(file_name,”..”), shell_command == (char *)0x0)) { [2]
shell_command = (char *)sfmt(“rm %s -rf”,file_name); [3]
iVar1 = system(shell_command);
[…]
}

At `[1]` the variable `file_name` is fetched and then used, at `[3]`, to create the string `rm -rf`. The function checks, at `[2]`, if the provided `filen_name` contains `..`. This check, allegedly, is used to prevent path traversal. But because `file_name` can be an absolute path, an attacker, able to control `file_name` would be able to delete arbitrary file and directory.

### Timeline

2022-06-27 – Initial vendor contact
2022-06-28 – Vendor Disclosure
2022-06-30 – Public ReleaseRead More