# Talos Vulnerability Report
### TALOS-2022-1607
## Siretta QUARTZ-GOLD httpd delfile.cgi OS command injection vulnerability
##### January 26, 2023
##### CVE Number
CVE-2022-40969
##### SUMMARY
An os command injection vulnerability exists in the httpd delfile.cgi functionality of Siretta QUARTZ-GOLD G5.0.1.5-210720-141020. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can send an HTTP request to trigger this vulnerability.
##### CONFIRMED VULNERABLE VERSIONS
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Siretta QUARTZ-GOLD G5.0.1.5-210720-141020
##### PRODUCT URLS
QUARTZ-GOLD –
##### CVSSv3 SCORE
7.2 – CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
##### CWE
CWE-78 – Improper Neutralization of Special Elements used in an OS Command (âOS Command Injectionâ)
##### DETAILS
The Siretta QUARTZ-GOLD is an industrial cellular router with several features and services, such as: SSH, UPNP, VPN, SNMP and many others.
The QUARTZ-GOLD router has a web server with several functionalities, a subset of which are related to the management of external files. Indeed, the web-server offers API for uploading files, downloading them, and also deleting if no longer required.
Following the API to delete a previously uploaded file:
void delfile.cgi(void)
{
[…]
[… calculate the value of the base_folder variable …]
_filename_param = (char *)webcgi_safeget(“_filename”); [1]
filename_ = “”;
if (_filename_param != (char *)0x0) {
filename_ = _filename_param;
}
if (*filename_ != ”) {
sprintf(command_buff,”rm -rf %s/%s”,base_folder,filename_); [2]
system(command_buff); [3]
}
[…]
}
The `delfile.cgi` expects one parameter called `_filename` that represents the filename of the desired file to be deleted. At `[1]` the uploaded parameter is taken and then used at `[2]` for composing the command `rm -rf /`. The composed string is then used at `[3]` as argument of the `system` function. The `_filename` is not sanitized and will be used in the `system` function, which can lead to an OS command injection.
### Exploit Proof of Concept
Sending a request like the following:
POST /delfile.cgi HTTP/1.1
Authorization: Basic
Content-Length: 48
_filename=`reboot`f&_http_id=
will cause the device to reboot.
##### TIMELINE
2022-10-14 – Initial Vendor Contact
2022-10-20 – Vendor Disclosure
2022-11-24 – Vendor Patch Release
2023-01-26 – Public Release
##### Credit
Discovered by Francesco Benvenuto of Cisco Talos.
* * *
Vulnerability Reports Next Report
TALOS-2022-1609
Previous Report
TALOS-2022-1606Read More
References
Back to Main
